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RIJNDAEL BLOCK CIPHER APPARATUS AND 
5 ENCRYPTION/DECRYPTION METHOD THEREOF 

Brief Description of the Drawings 

The above object, other features and advantages of the present invention 
will become more apparent by describing the preferred embodiments thereof with 
1 0 reference to the accompanying drawings, in which: 

FIG. 1 is a view illustrating the construction of a rijndael block cipher 
apparatus according to the present invention. 

FIG. 2 is a view illustrating the construction of a round operation unit 

FIG. 3 is a view illustrating the construction of a round key generation 

1 5 unit. 

FIG. 4 is a first timing diagram illustrating a method of encrypting a 
rijndael block cipher according to the present invention. 

FIG. 5 is a first timing diagram illustrating a method of decrypting a 
rijndael block cipher according to the present invention. 
20 FIG. 6 is a second timing diagram illustrating a method of encrypting a 

rijndael block cipher according to the present invention. 

FIG. 7 is a second timing diagram illustrating a method of decrypting a 
rijndael block cipher according to the present invention. 

FIG. 8 is a third timing diagram illustrating a method of encrypting a 
2 5 rijndael block cipher according to the present invention. 

FIG. 9 is a third timing diagram illustrating a method of decrypting a 
rijndael block cipher according to the present invention. 

Technical Field 

30 The present invention relates generally to a rijndael block cipher 

apparatus and an encryption/decryption method thereof; and more particularly to a 
rijndael block cipher apparatus which is mounted in a cellular phone, PDA, smart 
card, and so on, and which can encrypt and decrypt important data that requires 
security at high speed, and an encryption/decryption method thereof 
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Background Art 

Rijndael algorithm is a symmetric secret-key encryption algorithm that 
was developed by Joan Daemen and Vincent Rijmen who are Belgian encryption 
developed, and then selected as a new AES (Advanced Encryption Standard) by 
5 American NIST (National Institute Standards and Technology) in October, 2000 
or thereabouts. 

The rijndael algorithm supports a variable block length of an SPN 
(Substitution-Permutation Network) structure, and enables the use of 128-bit, 192- 
bit, and 256-bit keys with respect to respective block lengths. 
10 The number of rounds in the rijndael algorithm is determined by key 

lengths, and in the case of using the 128-bit block, it is recommended to use 10, 
12 and 14 rounds with respect to the 128-bit, 192-bit and 256-bit keys, 
respectively. 

Recently, it is known that the rijndael algorithm causes no problem in 

15 security even if the 128-bit key is used, and thus researches for hardware 
implementation of the rijndael algorithm using the key having a length of 128 bits 
has already been under way. 

Since the rijndael algorithm encrypts/decrypts data for the rijndael block 
encryption/decryption by repeating round operations, and is especially provided 

20 for supporting the variable block length of the SPN structure, the encryption 
process of a rijndael block cipher is different from the decryption process thereof. 
Typically, a round operation for the encryption process of the rijndael block 
cipher is composed of four transforms of substitution, shift jrow, mixcolumn and 
add-round-key, and a round operation for the decryption process is composed o 

25 four transforms of inverse-shift_row, inverse substitution, add-round-key and 
inverse mixcolumn. According to methods of performing these transforms, times 
required for the round operation for the rijndael block cipher and hardware 
resources to be used differ, and further the method of performing the transform is 
vital to the performance of a rijndael cipher processor. Accordingly, it is 

30 important to reduce the amount of hardware resource required for the 
implementation of the round operation and the time required for performing of the 
round operation. 

Disclosure of the Invention 
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Therefore, the applicant has developed a rijndael block cipher apparatus 
including an operational unit that efficiently performs a round operation for 
encrypting/decrypting the rijndael block cipher and an encryption/decryption 
method thereof. 

5 It is an object of the present invention is to solve the problems involved 

in the prior art and to provide a rijndael block cipher apparatus which is mounted 
in a mobile terminal such as a cellular phone and a PDA or a smart card, which 
requires a high-rate and small-sized cipher processor, and which can encrypt and 
decrypt important data that requires security at high speed, and an 

1 0 encryption/decryption method thereof. 

In order to accomplish the above-mentioned object, a rijndael block 
cipher apparatus according to an embodiment of the present invention comprises a 
round operation unit for transforming a 128-bit input key into a 128-bit round key 
for encryption or decryption, and storing the 128-bit round key according to a 

15 value of a mode signal from a time when a round operation start signal, a round 
number signal and a bit selection signal for dividing the 128-bit input data into 
upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits are 
inputted after an encryption or decryption operation start signal and the mode 
signal are inputted, encrypting the 128-bit input data by dividing the 128-bit input 

20 data into the upper 64 bits and the lower 64 bits and by performing a round 
operation which is composed of transforms of shift_row, substitution, mixcolumn 
and add-round-key with respect to the divided upper 64 bits and lower M bits, 
respectively, and decrypting the 128-bit input data by dividing the 128-bit input 
data into the upper 64 bits and the lower 64 bits and by performing a round 

25 operation which is composed of transforms of inverse-shift jrow, inverse 
substitution, add-round-key and inverse mixcolumn with respect to the divided 
upper 64 bits and lower b4 bits, respectively; a round operation control unit for 
controlling the round operation of the round operation unit by transmitting the 
round operation start signal, the round number signal and the bit selection signal 

30 for dividing the 128-bit input data into the upper 64 bits and lower 64 bits and 
selecting the upper or lower 64 bits to the round operation unit from a time when 
the encryption or decryption operation start signal and the mode signal are 
inputted; a 64-bit data register for storing intermediate encryption or decryption 
data of the upper 64-bit input data generated during each round operation 

35 performed by the round operation unit; and a 128-bit data register for storing 
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intermediate encryption or decryption data of the lower 64-bit input data 
generated during each round operation performed by the round operation unit as 
its lower 64 bits, and storing the encryption or decryption data generated as a 
result of a last round operation and stored in the 64-bit data register as its upper 
5 64-bit data. 

In order to accomplish the above-mentioned object, a rijndael block 
encryption method according to a first embodiment of the present invention 
comprises the steps of if a four-clock round operation start signal and a round 
number signal are inputted from a round operation control unit after an encryption 

10 or decryption operation start signal and a mode signal are inputted through a bus, 
a round key generation unit of a round operation unit transforming a 128-bit input 
key into a 128-bit round key for encryption in accordance with a value of the 
mode signal inputted through the bus from a time when a first clock of the round 
operation start signal becomes ' 1 \ and storing the 128-bit round key in an internal 

15 128-bit round key register; if the four-clock round operation start signal and a bit 
selection signal are inputted from the round operation control unit, a shift/inverse- 
shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit 
input data inputted through the bus and outputting the byte-shifted upper 64-bit 
data through a first multiplexer when the first clock becomes % l\ and a 

20 substitution/inverse-substitution transform unit successively performing a 
substitution of the upper 64-bit data, outputting the substituted upper 64-bit data 
to a first demultiplexer, and storing the substituted upper 64-bit data in a 64-bit 
data register; when a second clock of the round operation start signal becomes T, 
a mix/inverse-mixcolumn transform unit performing a mixcolumn of the upper 

2 5 64-bit data outputted through an encryption output terminal of the first 
demultiplexer and stored in the 64-bit data register, outputting the mixcolumn- 
transformed upper 64-bit data to a second demultiplexer, and storing the 
mixcolumn-transformed upper 64-bit data in the 64-bit data register, the 
shift/inverse-shift_row transform unit simultaneously performing a byte-shift of 

30 lower 64-bit data of the 128-bit input data inputted through the bus and outputting 
the byte-shifted lower 64-bit data through the first multiplexer, and the 
substitution/inverse-substitution transform unit successively performing a 
substitution of the lower 64-bit data, outputting the substituted lower 64-bit data 
to the first demultiplexer, and storing the substituted lower 64-bit data in lower 64 

35 bits of a 128-bit data register; when a third clock of the round operation start 
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signal becomes T, an add-round-key transform unit performing an addition of 
the upper 64-bit data outputted through an encryption output terminal of the 
second demultiplexer and stored in the 64-bit data register to upper 64-bit round 
key generated by the round key generation unit and storing the added upper 64-bit 
5 data in upper 64 bits of the 128-bit data register, and a mix/inverse-mixcolumn 
transform unit simultaneously performing a mixcolumn of the lower 64-bit data 
outputted through the encryption output terminal of the first demultiplexer and 
stored in the 128-bit data register, outputting the mixcolumn-transformed lower 
64-bit data to the second demultiplexer, and storing the mixcolumn-transformed 

10 lower 64-bit data in the lower 64 bits of the 128-bit data register; and when a 
fourth clock of the round operation start signal becomes '1% the add-round-key 
transform unit performing an addition of the lower 64-bit data outputted through 
the encryption output terminal of the second demultiplexer and stored in the 128- 
bit data register to lower 64-bit round key generated by the round key generation 

15 unit and storing the added lower 64-bit data in the lower 64 bits of the 128-bit data 
register. 

In order to accomplish the above-mentioned object, a rijndael block 
decryption method according to a first embodiment of the present invention 
comprises the steps of if a four-clock round operation start signal and a round 

2 0 number signal are inputted from a round operation control unit after an encryption 
or decryption operation start signal and a mode signal are inputted through a bus, 
a round key generation unit of a round operation unit transforming a 128-bit input 
key into a 128-bit round key for decryption in accordance with a value of the 
mode signal inputted through the bus from a time when a first clock of the round 

2 5 operation start signal becomes e 1 \ and storing the 128-bit round key in an internal 
128-bit round key register; if the four-clock round operation start signal and a bit 
selection signal are inputted from the round operation control unit, a shift/inverse- 
shift_row transform unit performing a byte-inverse-shift of upper 64-bit data of 
128-bit input data inputted through the bus and outputting the byte-inverse-shifted 

30 upper 64-bit data through a first multiplexer when the first clock becomes 4 1 \ and 
a substitution/inverse-substitution transform unit successively performing an 
inverse substitution of the upper 64-bit data, outputting the inverse-substituted 
upper 64-bit data to a first demultiplexer, and storing the inverse-substituted upper 
64-bit data in a 64-bit data register; when a second clock of the round operation 

35 start signal becomes 4 P, an add-round-key transform unit performing an addition 
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of the upper 64-bit data outputted through a decryption output terminal of the first 
demultiplexer and stored in the 64-bit data register to upper 64-bit round key 
generated by the round key generation unit, outputting the added upper 64-bit data 
to a third demultiplexer, and storing the added upper 64-bit data in the 64-bit data 
5 register, the shift/inverse-shift_row transform unit simultaneously performing a 
byte-inverse-shift of lower 64-bit data of the 128-bit input data inputted through 
the bus, and outputting the byte-inverse-shifted lower 64-bit data through the first 
multiplexer, and the substitution/inverse-substitution transform unit successively 
performing an inverse substitution of the lower 64-bit data, outputting the inverse- 

10 substituted lower 64-bit data to the first demultiplexer, and storing the inverse- 
substituted lower 64-bit data in lower 64 bits of a 128-bit data register, when a 
third clock of the round operation start signal becomes T, a mix/inverse- 
mixcolumn transform unit performing an inverse mixcolumn of the upper 64-bit 
data outputted through a decryption output terminal of the third demultiplexer and 

15 stored in the 64-bit data register, outputting the inverse-mixcolumn-transformed 
upper 64-bit data through a second demultiplexer, and storing the inverse- 
mixcolumn-transformed upper 64-bit data in upper 64 bits of the 128-bit data 
register, and the add-round-key transform unit simultaneously performing an 
addition of the lower 64-bit data outputted through the decryption output terminal 

20 of the first demultiplexer and stored in the 128-bit data register to lower 64-bit 
round key generated by the round key generation unit, outputting the added lower 
64-bit data through the third demultiplexer, and storing the added lower 64-bit 
data in the lower 64 bits of the 128-bit data register; and when a fourth clock of 
the round operation start signal becomes 'P, the mix/inverse-mixcolumn 

25 transform unit performing an inverse mixcolumn of the lower 64-bit data 
outputted through the decryption output terminal of the third demultiplexer and 
stored in the 128-bit data register, outputting the inverse-mixcolumn-transformed 
lower 64-bit data through a second demultiplexer, and storing the inverse- 
mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data 

30 register. 

In order to accomplish the above-mentioned object, a rijndael block 
encryption method according to a second embodiment of the present invention 
comprises the steps of if a three-clock round operation start signal and a round 
number signal are inputted from a round operation control unit after an encryption 
35 or decryption operation start signal and a mode signal are inputted through a bus, 
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a round key generation unit of a round operation unit transforming a 128-bit input 
key into a 128-bit round key for encryption in accordance with a value of the 
mode signal inputted through the bus from a time when a first clock of the round 
operation start signal becomes *1\ and storing the 128-bit round key in an internal 
5 128-bit round key register; if the three-clock round operation start signal and a bit 
selection signal are inputted from the round operation control unit, a shift/inverse- 
shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit 
input data inputted through the bus and outputting the byte-shifted upper 64-bit 
data through a first multiplexer when the first clock becomes T, and a 

10 substitution/inverse-substitution transform unit successively performing a 
substitution of the upper 64-bit data, outputting the substituted upper 64-bit data 
to a first demultiplexer, and storing the substituted upper 64-bit data in a 64-bit 
data register; when a second clock of the round operation start signal becomes * 1 *, 
a mix/inverse-mixcolumn transform unit performing a mixcolumn of the upper 

15 64-bit data outputted through an encryption output terminal of the first 
demultiplexer and stored in the 64-bit data register, and outputting the 
mixcolumn-transformed upper 64-bit data to a second demultiplexer, an add- 
round-key transform unit successively performing an addition of this upper 64-bit 
data to an upper 64-bit round key generated by the round key generation unit, and 

20 storing the added upper 64-bit data in the 64-bit data register, the shift/inverse- 
shift_row transform unit simultaneously performing a byte-shift of lower 64-bit 
data of the 128-bit input data inputted through the bus, and outputting the byte- 
shifted lower 64-bit data through the first multiplexer, and the 
substitution/inverse-substitution transform unit successively performing a 

25 substitution of the lower 64-bit data, outputting the substituted lower 64-bit data 
to the first demultiplexer, and storing the substituted lower 64-bit data in lower 64 
bits of a 128-bit data register; and when a third clock of the round operation start 
signal becomes ' 1 \ storing the 64-bit data added and then stored in the 64-bit data 
register in upper 64 bits of the 128-bit data register, the mix/inverse-mixcolumn 

30 transform unit simultaneously performing a mixcolumn of the lower 64-bit data 
outputted through the encryption output terminal of the first demultiplexer and 
stored in the 128-bit data register, and outputting the mixcolumn-transformed 
lower 64-bit data to the second demultiplexer, and the add-round-key transform 
unit successively performing an addition of the lower 64-bit data to lower 64-bit 
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round key generated by the round key generation unit, and storing the added lower 
64-bit data in the lower 64 bits of the 128-bit data register. 

In order to accomplish the above-mentioned object, a rijndael block 
decryption method according to a second embodiment of the present invention 
5 comprises the steps of if a three-clock round operation start signal and a round 
number signal are inputted from a round operation control unit after an encryption 
or decryption operation start signal and a mode signal are inputted through a bus, 
a round key generation unit of a round operation unit transforming a 128-bit input 
key into a 128-bit round key for decryption in accordance with a value of the 

1 0 mode signal inputted through the bus from a time when a first clock of the round 
operation start signal becomes '1% and storing the 128-bit round key in an internal 
128-bit round key register; if the three-clock round operation start signal and a bit 
selection signal are inputted from the round operation control unit, a shift/inverse- 
shiftrow transform unit performing a byte-inverse-shift of upper 64-bit data of 

15 128-bit input data inputted through the bus, and outputting the byte-inverse- 
shifted upper 64-bit data through a first multiplexer when the first clock becomes 
r * 1% and a substitution/inverse-substitution transform unit successively performing 
an inverse substitution of the upper 64-bit data, outputting the inverse-substituted 
upper 64-bit data to a first demultiplexer, and storing the inverse-substituted upper 

2 0 64-bit data in a 64-bit data register; when a second clock of the round operation 

start signal becomes *l\ an add-round-key transform unit performing an addition 
of the upper 64-bit data outputted through a decryption output terminal of the first 
demultiplexer and stored in the 64-bit data register to upper 64-bit round key 
generated by the round key generation unit, and outputting the added upper 64-bit 
25 data to a third demultiplexer, a mix/inverse-mixcolumn transform unit 
successively performing an inverse mixcolumn of the added upper 64-bit data, 
outputting the inverse-mixcolumn-transformed upper 64-bit data through a second 
demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data 
in the 64-bit data register, the shift/iriverse-shift_row transform unit 

3 0 simultaneously performing a byte-inverse-shift of lower 64-bit data of the 128-bit 

input data inputted through the bus, and outputting the byte-inverse-shifted lower 
64-bit data through the first multiplexer, and the substitution/inverse-substitution 
transform unit successively performing an inverse substitution of the lower 64-bit 
data, outputting the inverse-substituted lower 64-bit data to the first demultiplexer, 
35 and storing the inverse-substituted lower 64-bit data in lower 64 bits of a 128-bit 



PACE 9/85 " RCVD AT 2/17/2009 5:44:45 PM [Eastern Standard Time] ■ SVR:USPTO-EFXRF-5/36 * DNIS:2738300 • CSID:312 427 6663 ■ DURATION (mm-ss):23-*2 



02/17/2009 16:51 FAX 312 427 6663 



LAD AS & PARRY LLP 



(20010/0085 



9 

data register, and when a third clock of the round operation start signal becomes 
*]\ the add-round-key transform unit performing an addition of the lower 64-bit 
data outputted through the decryption output terminal of the first demultiplexer 
and stored in the 128-bit data register to lower 64-bit round key generated by the 
5 round key generation unit and outputting the added lower 64-bit data to the third 
demultiplexer, the mix/inverse-mixcolumn transform unit successively 
performing an inverse mixcolumn of the added lower 64-bit data, outputting the 
inverse-mixcolumn-transfonned lower 64-bit data through a second 
demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data 
10 in the lower 64 bits of the 128-bit data register, and simultaneously storing the 
upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit 
data register. 

In order to accomplish the above-mentioned object, a rijndael block 
encryption method according to a third embodiment of the present invention 

15 comprises the steps of if a two-clock round operation start signal and a round 
number signal are inputted from a round operation control unit after an encryption 
or decryption operation start signal and a mode signal are inputted through a bus, 
a round key generation unit of a round operation unit transforming a 128-bit input 
key into a 128-bit round key for encryption in accordance with a value of the 

2 0 mode signal inputted through the bus from a time when a first clock of the round 
operation start signal becomes * 1 % and storing the 128-bit round key in an internal 
128-bit round key register; if the two-clock round operation start signal and a bit 
selection signal are inputted from the round operation control unit, a shift/inverse- 
shift row transform unit performing a byte-shift of upper 64-bit data of 128-bit 

25 input data inputted through the bus and outputting the byte-shifted upper 64-bit 
data through a first multiplexer when the first clock becomes T, a 
substitution/inverse-substitution transform unit successively performing a 
substitution of the upper 64-bit data, and outputting the substituted upper 64-bit 
data through a first demultiplexer, a mix/inverse-mixcolumn transform unit 

30 performing a mixcolumn of the upper 64-bit data outputted through an encryption 
output terminal of the first demultiplexer, and outputting the mixcolumn- 
transformed upper 64-bit data to a second demultiplexer, and an add-round-key 
transform unit successively performing an addition of this upper 64-bit data to an 
upper 64-bit round key generated by the round key generation unit, and storing the 

35 added upper 64-bit data in a 64-bit data register; and when a second clock of the 
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round operation start signal becomes 4 1\ the shift/inverse-shift_row transform 
unit performing a byte-shift of lower 64-bit data of the 128-bit input data inputted 
through the bus and outputting the byte-shifted lower 64-bit data through the first 
multiplexer, and the substitution/inverse-substitution transform unit successively 
5 performing a substitution of the lower 64-bit data, and outputting the substituted 
lower 64-bit data to the first demultiplexer, the mix/inverse-mixcolumn transform 
unit successively performing a mixcolumn of the lower 64-bit data, and outputting 
the mixcolumn-transformed lower 64-bit data to the second demultiplexer, the 
add-round-key transform unit successively performing an addition of this lower 
10 64-bit data to lower 64-bit round key generated by the round key generation unit, 
and storing the added lower 64-bit data in lower 64 bits of a 128-bit data register, 
and simultaneously storing the upper 64-bit data stored in the 64-bit data register 
in upper 64 bits of the 128-bit data register. 

In order to accomplish the above-mentioned object, a rijndael block 
15 decryption method according to a second embodiment of the present invention 
comprises the steps of if a two-clock round operation start signal and a round 
number signal are inputted from a round operation control unit after an encryption 
or decryption operation start signal and a mode signal are inputted through a bus, 
a round key generation unit of a round operation unit transforming a 128-bit input 
20 key into a 128-bit round key for decryption in accordance with a value of the 
mode signal inputted through the bus from a time when a first clock of the round 
operation start signal becomes *] \ and storing the 128-bit round key in an internal 
128-bit round key register; if the two-clock round operation start signal and a bit 
selection signal are inputted from the round operation control unit, a shift/inverse- 
25 shiftj-ow transform unit performing a byte-inverse-shift of upper 64-bit data of 
128-bit input data inputted through the bus, and outputting the byte-inverse- 
shifted upper 64-bit data through a first multiplexer when the first clock becomes 
M\ a substitution/inverse-substitution transform unit successively performing an 
inverse substitution of the upper 64-bit data, and outputting the inverse-substituted 
30 upper 64-bit data to a first demultiplexer, an add-round-key transform unit 
successively performing an addition of the upper 64-bit data outputted through a 
decryption output terminal of the first demultiplexer to an upper 64-bit round key 
generated by the round key generation unit, and outputting the added upper 64-bit 
data to a third demultiplexer, and a mix/inverse-mixcolumn transform unit 
35 successively performing an inverse mixcolumn of the added upper 64-bit data, 
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outputting the inverse-mixcolumn-transformed upper 64-bit data through a second 
demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data 
in a 64-bit data register, and when a second clock of the round operation start 
signal becomes '1', the shift/inverse-shift_row transform unit performing a byte- 
5 inverse-shift of lower 64-bit data of the 128-bit input data inputted through the 
bus and outputting the byte-inverse-shifted lower 64-bit data through the first 
multiplexer, the substitution/inverse-substitution transform unit successively 
performing an inverse substitution of the lower 64-bit data, and outputting the 
inverse-substituted lower 64-bit data to the first demultiplexer, the add-round-key 

10 transform unit successively performing an addition of the lower 64-bit data 
outputted through the decryption output terminal of the first demultiplexer to a 
lower 64-bit round key generated by the round key generation unit, and outputting 
the added lower 64-bit data to the third demultiplexer, the mix/inverse-mixcolumn 
transform unit successively performing an inverse mixcoiumn of the added lower 

15 64-bit data, outputting the inverse-mbccolumn-transformed lower 64-bit data 
through a second demultiplexer, and storing the inverse-mixcolumn-transformed 
lower 64-bit data in lower 64 bits of a 128-bit data register, and simultaneously 
storing the upper 64-bit data stored in the 64-bit data register in upper 64 bits of 
the 128-bit data register. 

20 

Best Mode for Carrying Out the Invention 

Now, a rijndael block cipher apparatus and an encryption/decryption 
method thereof according to preferred embodiments of the present invention will 
be described in detail with reference to the annexed drawings. 
2 5 Referring to FIG. 1, the rijndael block cipher apparatus according to the 

present invention is primary intended to perform all round operations for 
encrypting and decrypting input data for rijndael block encryption/decryption in 
the unit of 64 bits, and to generate round keys required for the round operations 
simultaneously with performing the round operations. 
30 A roun d operation unit 100 transforms a 128-bit input key into a 128-bit 

round key RK for encryption or decryption and stores the 128-bit round key 
according to a value of a mode signal from a time when a round operation start 
signal Round_start, a round number signal Round_number and a bit selection 
signal sel for dividing the 128-bit input data into upper 64 bits and lower 64 bits 
and selecting the upper or lower 64 bits for each round operation are inputted after 
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an encryption or decryption operation start signal start and the mode signal are 
inputted through a bus 200 for rijndael block encryption/decryption. 

If the value of the mode signal indicates c 0\ the round operation unit 100 
encrypts the 128-bit input data by dividing the 128-bit input data into the upper 64 
5 bits and the lower 64 bits and performing a round operation which is composed of 
transforms of shift_row, substitution, mixcolumn and add-round-key with respect 
to the divided upper 64 bits and lower b4 bits, respectively. 

If the value of the mode signal indicates 'I', the round operation unit 100 
decrypts the 128-bit input data by dividing the 128-bit input data into the upper 64 
1 0 bits and the lower 64 bits and performing a round operation which is composed of 
transforms of inverse shift_row, inverse substitution, add-round-key and inverse 
mixcolumn with respect to the divided upper 64 bits and lower M bits, 
respectively. 

A round operation control unit 300, if the encryption or decryption 
15 operation start signal and the mode signal are inputted through the bus 200, 
controls the round operation of the round operation unit 100 by transmitting the 
round operation start signal Round_start, the round number signal Round_number 
and the bit selection signal for dividing the 128-bit input data into the upper 64 
bits and the lower 64 bits and selecting the divided upper or lower 64 bits for each 
20 round operation to the round operation unit 100 from the time when the 
encryption or decryption operation start signal and the mode signal are inputted. 

A 64-bit data register 400 stores intermediate encryption or decryption 
data of the upper 64-bit input data generated during each round operation 
performed by the round operation unit 1 00. 
25 A 128-bit data register 500 stores intermediate encryption or decryption 

data of the lower 64-bit input data generated during each round operation 
performed by the round operation unit 100 as its lower 64 bits, and stores the 
encryption or decryption data generated as a result of a last round operation and 
stored in the 64-bit data register 400 as its upper 64 bits. 
30 Referring to FIG. 2, a round key generation unit 110 of the round 

operation unit 100 transforms the 128-bit input key into the 128-bit round key RK 
according to the value of the mode signal inputted through the bus 200 and stores 
the 128-bit round key in an internal 128-bit round key register if the round 
operation start signal and the round number signal are inputted from the round 
35 operation control unit 300. 
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A shift/inverse-shift_row transform unit 120 of the round operation unit 
100, if the round operation start signal and a bit selection signal are inputted from 
the round operation control unit 300, performs a' byte-shift of the upper 64 bits 
and the lower 64 bits divided from the 128-bit input data inputted through the bus 
200 by different numbers according to the value of the mode signal inputted 
through the bus 200, and outputs the byte-shifted upper 64 bits and lower 64 bits 
through a first multiplexer 121 the output of which is controlled according to the 
value of the bit selection signal. 

A substitution/inverse-substitution transform unit 130 of the round 
operation unit 100 performs a substitution or an inverse substitution of the upper 
64-bit data and the lower 64-bit data outputted from the shift/inverse-shift_row 
transform unit 120 using a substitution box (S-box) or an inverse-substitution box 
(Sl-box) that provides a one-byte output with respect to a one-byte input. 

A first demultiplexer 140 of the round operation unit 100 outputs the 
1 5 upper 64-bit data or the lower 64-bit data outputted from the substitution/inverse- 
substitution transform unit 130 through either of its encryption output terminal '0' 
and its decryption output terminal ' 1 ' according to the value of the mode signal. 

A mix/inverse-mixcolumn transform unit 150 of the round operation unit 
100 performs a mixcolumn of the upper 64-bit data or the lower 64-bit data 
inputted through the encryption output terminal '0* of the first demultiplexer 140, 
or performs an inverse mixcolumn of the upper 64-bit data or the lower 64-bit 
data that has been add-round-key-transformed. 

A second demultiplexer 160 of the round operation unit 100 outputs the 
upper 64-bit data or the lower 64-bit data outputted from the mix/inverse- 
mixcolumn transform unit 150 through either of its encryption output terminal '0' 
and its decryption output terminal « 1 ' according to the value of the mode signal. 

An add-round-key transform unit 170 of the round operation unit 100 
performs an addition of the upper 64-bit data or the lower 64-bit data inputted 
through the decryption output terminal 'V of the first demultiplexer 140 or the 
encryption output terminal '0' of the second demultiplexer 160 to the 128-bit 
round key RK for encryption or decryption outputted from the round key 
generation unit 1 10. 

A third demultiplexer 180 of the round operation unit 100 outputs the 
upper 64-bit data or the lower 64-bit data outputted from the add-round-key 
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transform unit 170 through either of its encryption output terminal '0' and its 
decryption output terminal ' 1 ' according to the value of the mode signal. 

Referring to FIG. 3, a 128-bit prekey register 111 of the round key 
generation unit 1 1 0 stores the 128-bit input key inputted through the bus 200 as a 
5 prekey for transforming the 128-bit input key into the 128-bit round key RK for 
encryption or decryption, and stores the 128-bit round key RK generated after 
each round operation as a prekey for generating the round key used in the next 
round operation. 

A 128-bit round key register 1 11a of the round key generation unit 1 10 
10 stores the 128-bit round key RK for encryption or decryption for each round 
operation. In FIG. 3, the 128-bit round key RK to be stored in the 128-bit round 
key register 1 1 la is backed up to the 128-bit prekey register 1 1 1 after each round 
operation, and is used as a round key (i.e., prekey) of the previous round in the 
next round operation. 

15 A instant storage unit 1 12 of the round key generation unit 1 10 stores 

constant values Rcon determined according to the order of the round indicated by 
the round number signal inputted from the round operation control unit 300. It is 
preferable that the constant storage unit 1 12 comprises a ROM. 

A second multiplexer 113 of the round key generation unit 110 is 

20 controlled according to the value of the mode signal inputted through the bus 200, 
and selects and outputs either of 32-bit keys for encryption or decryption inputted 
from the 128-bit prekey register 1 1 1 and the 128-bit round key register 1 1 la. 

A shifter 1 1 4 of the round key generation unit 1 1 0 performs a cyclic shift 
of the 32-bit key inputted through the second multiplexer 1 13 to the left by one 

25 byte. 

A substitution transform unit 115 of the round key generation unit 1 10 is 
composed of substitution boxes (S-boxes) for performing the substitution 
operation, and performs a substitution of the 32-bit key shifted by the shifter 1 14. 

A first XOR gate 1 16 of the round key generation unit 1 10 performs an 
XOR operation of the most significant byte of the 32-bit key outputted from the 
substitution transform unit 115 with the constant value stored in the constant 
storage unit 1 12. 

A round XOR operation unit 117 of the round key generation unit 110 
newly generates the 128-bit round key RK for encryption or decryption to be 
stored in the 128-bit round key register 1 1 la for each round of the round operation 
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by performing an XOR operation using a 32-bit value obtained by adding output 
bits of the first XOR gate 116 to the remaining 24 bits except for the most 
significant byte of the substitution transform unit 115, the 128-bit round key (i.e., 
prekey) of the previous round stored in the 128-bit prekey register 111, and the 
128-bit round key RK of the new round stored in the 128-bit round key register 
111a. 

A second XOR gate 118 of the round XOR operation unit 1 17 generates 
the most significant 32-bit round key RKO of the 128-bit round key for 
encryption or decryption of the new round by performing an XOR operation of 
the 32-bit value obtained by adding the output bits of the first XOR gate 116 to 
the remaining 24 bits except for the most significant byte of the substitution 
transform unit 115, with the most significant 32-bit round key PKO of the 128-bit 
round key of the previous round. 

A third XOR gate 1 18a of the round XOR operation unit 117 generates a 
15 32-bit (i.e., 95* bit to 64* bit) round key RK1 of the 128-bit round key for 
encryption of the new round by performing an XOR operation of the most 
significant 32-bit (i.e., 127* bit to 96* bit) round key RKO of the 128-bit round 
key of the new round with a 32-bit (i.e., 95* bit to 64* bit) round key PK1 next to 
the most significant 32bits of the 128-bit round key of the previous round. 
20 The third XOR gate 1 18a also generates a 32-bit (i.e., 95* bit to 64* bit) 

round key RK1 of the 128-bit round key for decryption of the new round by 
performing an XOR operation of the most significant 32-bh (i.e., 127* bit to 96* 
bit) round key PKO of the 128-bk round key of the previous round with a 32-bit 
(i.e., 95* bit to 64* bit) round key PK1 next to the most significant 32bits. 
25 A mird multiplexer 119 of the round XOR operation unit 117 is 

controlled according to the value of the mode signal inputted through the bus 200, 
and selectively determines input signals of the third XOR gate 1 18a. 

A fourth XOR gate 1 18b of the round XOR operation unit 1 17 generates 
a 32-bit (i.e., 63 rd bit to 32 nd bit) round key RK2 of the 128-bit round key for 
30 encryption of the new round by performing an XOR operation of a 32-bit (i.e., 
95* bit to 64* bit) round key RK1 of the 128-bit round key of the new round with 
a 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the 128-bit round key of the 
previous round. 

The fourth XOR gate 1 18b also generates a 32-bit (i.e., 63 rf bit to 32 nd 
bit) round key RK2 of the 128-bit round key for decryption of the new round by 
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performing an XOR operation of a 32-bit (i.e., 95 th bit to 64 th bit) round key PK1 
of the 128-bit round key of the previous round with a next 32-bit (i.e., 63 rd bit to 
32 nd bit) round key PK2. 

A fourth multiplexer 119a of the round XOR operation unit 117 is 
controlled according to the value of the mode signal inputted through the bus 200, 
and selectively determines input signals of die fourth XOR gate 1 18b. 

A fifth XOR gate 1 18c of the round XOR operation unit 117 generates a 
32-bit (i.e., 31 st bit to 0 th bit) round key RK3 of the 128-bit round key for 
encryption of the new round by performing an XOR operation of a 32-bit (i.e., 
63 rd bit to 32 nd bit) round key RK2 of the 128-bit round key of the new round with 
a 32-bit (i.e., 31 st bit to 0 th bit) round key PK3 of the 128-bit round key of the 
previous round. 

A fifth XOR gate 1 18c also generates a 32-bit (i.e., 31 st bit to 0 th bit) 
round key RK3 of the 128-bit round key for decryption of the new round by 
performing an XOR operation of a 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 
of the 128-bit round key of the previous round with a next 32-bit (i.e., 31 st bit to 
0 th bit) round key PK3. 

A fifth multiplexer U9b of the round XOR operation unit 117 is 
controlled according to the value of the mode signal inputted through the bus 200, 
and selectively determines input signals of the fifth XOR gate 1 1 8c. 

The rijndael block cipher apparatus as constructed above according to the 
present invention performs the encryption and decryption processes as follows: 

First, referring to FIGs. 1 and 2, the encryption and decryption operation 
of the rijndael block cipher apparatus will be explained. 

If a round operation starts, a round key generation process is performed 
as the initial 128-bit input key is inputted to the round key generation unit 100 
through the bus 200, and 128-bit input data is inputted to the shift/in verse- 
shift_row transform unit 120. 

At this time, the shift/inverse-shift_row transform unit 120 performs a 
shift/inverse-shift by different numbers of bytes as defined in the rijndael block 
cipher algorithm. 

If the round operation control unit 300 sends a signal that selects upper 
64 bits (seI=T), the shift/in verse-shift_row transform unit 120 outputs the upper 
64 bits through the first multiplexer 121, while if the round operation control unit 
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300 sends a signal that selects lower 64 bits (sel='0') 5 it outputs the lower 64 bits 
through the first multiplexer 121. 

After the byte shift/inverse-shift_row operation as described above is 
performed, the upper or lower 64-bit data is inputted to the substitution/inverse- 
substitution transform unit 130, and the substitution or inverse substitution of the 
data is performed by a substitution box (S-box) or an inverse-substitution box (SI- 
box). At this time, the S-box and the Si-box serve as a substitution transform unit 
that outputs a one-byte output with respect to a one-byte input as defined in a 
specification of the rijndael algorithm. Also, since it is enough that the 
substitution/inverse-substitution transform unit 130 proposed according to the 
present invention processes only 64-bit data at a time, it requires only 8 S-boxes 
or 8 Si-boxes. 

If a mode signal that selects the encryption process (mode='0') is 
inputted through the bus 200 after the substitution/inverse-substitution operation 
is performed as described above, the upper or lower 64-bit data is inputted to the 
mix/inverse-mixcolumn transform unit 150 through the encryption output terminal 
'0' of the first demultiplexer 140, while if a mode signal that selects the 
decryption process (raode='F) is inputted through the bus 200, the upper or lower 
64-bit data is inputted to the add-round-key transform unit 170 through the c 
mix/inverse-mixcolumn transform unit 150 through the decryption output terminal 
' F of the first demultiplexer 1 40. 

If the mode signal that selects the encryption process (mode='0') is 
inputted through the bus 200, the 64-bit data that has passed through the 
mix/inverse-mixcolumn transform unit is inputted to the add-round-key transform 
unit 170 through the encryption output terminal '0* of the second demultiplexer 
160, while if the mode signal that selects the decryption process (mode=T) is 
inputted through the bus 200, the 64-bit data is outputted through the decryption 
output terminal *V of the second demultiplexer 160 as a resultant data of the 
round operation. 

Also, if the mode signal that selects the encryption process (mode='0') is 
inputted through the bus 200, the 64-bit data that has passed through the add- 
round-key transform unit is outputted through the encryption output terminal '0* 
of the third demultiplexer 180 as a resultant output of the round operation, while if 
the mode signal that selects the decryption process (mode- 1 ') is inputted through 
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the bus 200, the 64-bit data is inputted to the mix/inverse-mixcolumn transform 
unit 1 50 through the decryption output terminal ' 1 • of the third demultiplexer 1 80. 

As described above, since the present invention is intended to reduce the 
use of hardware resources by sharing constituent elements commonly used in the 
5 encryption process and the decryption process, the respective transform units have 
both functions of encryption and decryption. 

Meanwhile, referring to FIG. 3, the generation of round keys for 
encryption or decryption required for the encryption and decryption operation of 
the rijndael block cipher apparatus according to the present invention and 
1 0 performed by the round key generation unit 100 will be explained. 

If the 4-clock or 3-clock round operation start signal and the round 
number signal are inputted from the round operation control unit 300 to the round 
operation unit 100, the round operation starts. 

If the round operation starts, the round key generation unit 110 starts to 
15 generate a round key RK of a new round using the 128-bit round key (i.e., prekey) 
of the previous round stored in the 128-bit prekey register 111. 

If the mode signal that selects the encryption (mode= s 0') is inputted 
through the bus 200, the least significant 32 bits (PIG) of the 128-bit round key of 
the previous round of the 128-bit prekey register 1 1 1 is inputted to the shifter 1 14 
20 through the second mulitplexer 1 13. 

By contrast, if the mode signal that selects the decryption (mode=T) is 
inputted through the bus 200, the fifth XOR gate 1 18c performs an XOR 
operation of the lower 64 bits PK2 and PK3 of the round key of the previous 
round, and temporarily stores the XORed 32 bits as the least significant 32 bits 
2 5 RK3 of a new round key. Simultaneously, this value RIG is inputted to the shifter 
1 14 through the second multiplexer 113. 

The 32-bit key inputted to the shifter 114 is shifted to the left by one 
byte, and then substituted by the substitution transform unit 1 1 5 composed of 4 S- 
boxes. 

30 As described above, the most significant 8-bit key of the substitution- 

transformed 32-bit keys is XORed by the first XOR gate 116 with the constant 
value Rcon determined according to the order of the round indicated by the round 
number signal inputted from the round operation control unit 300. The resultant 8 
bits outputted from the first XOR gate 116 are added to the remaining 24 bits 
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outputted from the substitution transform unit 1 15, and the added bits are inputted 
to the second XOR gate 1 1 8 of the round XOR operation unit 1 1 7. 

Especially, by limiting the part in which the constant values related to the 
round numbers are XORed during the round key generation process only to the 
upper 8 bits of the 32-bit data that has passed through the substitution transform 
unit 115, the effect of reduction of the hardware size can be obtained. For this, the 
rijndael algorithm specification describes the structure that makes 32-bit constant 
value that is related to the round number by padding 6 0' of 24 bits to the 8-bit 
constant value, and then performs an XOR operation of the32-bit constant value 
with the 32-bit value that has passed through the substitution transform unit 1 15. 

Then, the second XOR gate 1 18 performs an XOR operation of the 32 
bits, which are obtained by adding the resultant 8 bits outputted from the first 
XOR gate 116 to the remaining 24 bits outputted from the substitution transform 
unit 115, with the most significant 32 bits PK0 of the round key of the previous 
round, and stores the resultant value of the XOR operation as the most significant 
32-bit round key RKO of the new round. 

After the most significant 32-bit round key RKO required for encryption 
or decryption of the new round is generated as described above, the third XOR 
gate 1 18a, in the case of encryption process, generates the next 32-bit round key 
RK1 of the new round by performing an XOR operation of the most significant 
32-bit round key RKO of the new round with the upper 32-bh (i.e., 95 th bit to 64 th 
bit) round key PK1 of the previous round. In the case of decryption process, the 
third XOR gate 1 1 8a generates the next 32-bit round key RK1 of the new round 
by performing an XOR operation of the most significant 32-bit round key PKO of 
the previous round with the next upper 32-bit round key PKI of the previous 
round. 

At this time, the third multiplexer 1 19 determines the input values of the 
third XOR gate 1 18a according to the mode signal that is inputted through the bus 
200 and that indicates the encryption process or the decryption process. 

After the 32-bh round key RK1 next to the most significant 32-bit round 
key RKO of the new round is generated as described above, the next 32-bit round 
key RK2 and the least significant 32-bit round key RK3 for encryption or 
decryption are generated by the fourth XOR gate 118b and the fifth XOR gate 
1 18c which operate in the same manner as the third XOR gate 1 1 8a. The fourth 
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multiplexer 1 19a determines the input values of the fourth XOR gate 1 18b, and 
the fifth multiplexer 1 19b determines the input values of the fifth XOR gate 1 18c. 

Especially, the time required to generate the 128-bit round key of the new 
round in the unit of 32 bits corresponds to the whole 4-clock period of the round 
5 operation start signal inputted from the round operation control unit 300 in the 
case of encryption process, and corresponds to the whole 2-clock period in the 
case of decryption process. 

In practice, when the first clock of the encryption round operation start 
signal becomes ' 1 \ the most significant 32-bit round key RK0 of the new round is 

10 generated through the second XOR gate 1 18, and whenever the second, third and 
fourth clocks become '1', the 32-bit round keys RK1, RK2 and RK3 of the new 
round are generated through the third XOR gate 1 18a, fourth XOR gate 1 1 8b and 
fifth XOR gate 1 18c, respectively. Also, when the first clock of the decryption 
round operation start signal becomes '1\ the most significant 32-bit round key 

15 RK0 of the new round is generated through the second XOR gate 1 18, and when 
the second clock becomes T, the 32-bit round keys RK1, RK2 and RK3 of the 
new round are simultaneously generated through the third XOR gate 1 18a, fourth 
XOR gate 1 18b and fifth XOR gate 1 18c. 

In the case that the 3-clock round operation start signal is inputted from 

20 the round operation control unit 300 to the round operation unit 100, the round 
key generation unit 110 generates the encryption round key during the 2-clock 
period. 

At this time, the process of generating the most significant 32-bit (i.e., 
127 th bit to 96* bit) round key RK0 of the 128-bit round key of the new round is 
2 5 performed when the first clock of the round operation start signal becomes * 1 \ 

If the second clock of the round operation start signal becomes C P, the 
third XOR gate 1 18a generates the 32-bit (i.e., 95 th bit to 64 th bit) round key RK1 
of the 128-bit round key for encryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 th bii to 96 th bit) round key RKO 
30 of the 128-bit round key of the new round with the 32-bit round key PK1 next to 
the most significant 32bits of the 128-bit round key of the previous round. 

Simultaneously, the fourth XOR gale 1 18b generates a 32-bit (i.e., 63 rd 
bit to 32 nd bit) round key RK2 of the 128-bit round key for encryption of the new 
round by performing an XOR operation of a resultant value (RKO © PK1), which 
35 is obtained by the third XOR gate's XOR operation of the most significant 32-bit 
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(i.e., 127 th bit to 96 th bit) round key RKO of the 128-bit round key of the new 
round with the 32-bit (i.e., 95* bit to 64 th bit) roupd key PK1 next to the most 
significant 32-bit round key of the 128-bit round key of the previous round, with 
the 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the previous round. 
5 Simultaneously, the fifth XOR gate 1 1 8c generates a 32-bit (i.e., 31 st bit 

to 0 th bit) round key RK3 of the 128-bit round key for encryption of the new round 
by performing an XOR operation of a resultant value (RKO © PK1), which is 
obtained by the fourth XOR gate's XOR operation of the most significant 32-bit 
(i.e., 127 th bit to 96 th bit) round key RKO of the 128-bit round key of the new 

10 round that has been XORed by the third XOR gate 1 18a with the 32-bit (i.e., 95 th 
bit to 64 th bit) round key PK1 next to the most significant 32-bit round key of the 
128-bit round key of the previous round, with the 32-bit (i.e., 63 rt bit to 32 nd bit) 
round key PK2 of the previous round to produce a resultant value (RKO © PK1 © 
PK2) of XOR operation, and then performing an XOR operation of the resultant 

15 value (RKO © PK1 © PK2) with the 32-bit (3 1 st bit to 0 th bit) round key PK3 of 
the .previous round 

In the case that the 2-clock round operation start signal is inputted from 
the round operation control unit 300 to the round operation unit 100, the round 
key generation unit 110 generates the encryption round key during the one-clock 

20 period. 

At this time, the process of generating the most significant 32-bit (i.e., 
127 th bit to 96 th bit) round key RKO of the 128-bit round key of the new round 
through the second XOR gate 1 18 is performed when the round operation start 
signal is inputted and the clock is simultaneously in a 4 0' state. 

25 If the first clock of the round operation start signal becomes 6 1', the third 

XOR gate 1 18a generates the 32-bit (i.e., 95 th bit to 64 th bit) round key RK1 of the 
128-bit round key for encryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key RKO 
of the 128-bit round key of the new round with the 32-bit round key PK1 next to 

30 the most significant 32bits of the 128-bit round key of the previous round. 

Simultaneously, the fourth XOR gate 118b generates a 32-bit (i.e., 63 rd 
bit to 32 nd bit) round key RK2 of the 128-bit round key for encryption of the new 
round by performing an XOR operation of a resultant value (RKO © PK1), which 
is obtained by the third XOR gate's XOR operation of the most significant 32-bit 

35 (i.e., 127 th bit to 96 th bit) round key RKO of the 128-bit round key of the new 
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round with the 32-bit (i.e., 95 th bit to 64* bit) round key PK1 next to the most 
significant 32-bit round key of the 128-bit round key of the previous round, with 
the 32-bit (i.e., 63 rf bit to 32 nd bit) round key PK2 of the previous round. 

Simultaneously, the fifth XOR gate 1 18c generates a 32-bit (i.e., 31 st bit 
5 to 0 th bit) round key KK3 of the 1 28-bit round key for encryption of the new round 
by performing an XOR operation of a resultant value (RK0 © PK1), which is 
obtained by the fourth XOR gate's XOR operation of the most significant 32-bit 
(i.e., 127 th bit to 96 th bit) round key RK0 of the 128-bit round key of the new 
round that has been XORed by the third XOR gate 1 1 8a with the 32-bit (i.e., 95 th 

10 bit to 64 th bit) round key PK1 next to the most significant 32-bit round key of the 
128-bit round key of the previous round, with the 32-bit (Le., 63* bit to 32 nd bit) 
round key PK2 of the previous round to produce a resultant value (RKO © PK1 © 
PK2) of XOR operation, and then performing an XOR operation of the resultant 
value (RKO © PK1 © PK2) with the 32-bit (31 st bit to 0 ,h bit) round key PK3 of 

15 the previous round. 

In the case that the 2-clock round operation start signal is inputted from 
the round operation control unit 300 to the round operation unit 100, the round 
key generation unit 1 10 generates the decryption round key during the one-clock 
period. 

20 At to™ time » the process of generating the most significant 32-bit (i.e., 

127 th bit to 96 th bit) round key RKO of the 128-bit round key of the new round 
through the second XOR gate 1 18 is performed when the round operation start 
signal is inputted and the clock is simultaneously in a 4 0* state. 

If the first clock of the round operation start signal becomes 6 1 % the third 

25 XOR gate 118a generates the next 32-bit round key RK1 of the new round by 
performing an XOR operation of the most significant 32 bits PK0 of the previous 
round with the next upper 32 bits PK1 of the previous round, and in succession 
the fourth XOR gate 1 1 8b and the fifth XOR gate 1 1 8c, which operate in the same 
manner as the third XOR gate 118a, generate the next 32-bit round key RK2 for 

30 decryption and the least significant 32-bit round key RK3. These processes are 
simultaneously performed during the first clock period. 

Now, the operation of the rijndael block cipher apparatus that performs 
the encryption and decryption process as described above will be explained in 
more detail in accordance with the number of clocks of the round operation start 
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signal inputted from the round operation control unit 300 to the round operation 
unit 100. 

FIG. 4 is a first timing diagram illustrating a method of encrypting a 
rijndael block cipher according to the present invention. 

Referring to FIG. 4, if the four-clock round operation start signal and the 
round number signal are inputted from the round operation control unit 300 to the 
round operation unit 100 (step S400), the byte-shift transform and the substitution 
operation are successively performed with respect to the upper 64-bit data of the 
128-bit round operation input data at the moment when the first clock becomes T 
(step S401), and these two processes are performed within one clock. The results 
of these processes are stored in the 64-bit data register 400. Also, at the moment 
when the first clock of the round operation start signal becomes 6 P, the 128-bit 
round key generation process using the 128-bit round input key starts (step 
S401a). 

At the moment when the second clock of the round operation start signal 
becomes T, the mixcolumn transform using the 64-bit data stored in the 64-bit 
data register 400 is performed with its resultant values stored in the 64-bit data 
register 400 (step S402), and simultaneously, the byte-shift transfoim and the 
substitution operation of the lower 64-bit data of the round operation input data 
are successively performed (step S402). These two processes are formed in one 
clock. Also, the resultant data of the byte-shift transform and the substitution 
operation of the lower 64-bit data are stored in a lower 64-bit position of the 128- 
bit data register 500 that stores the round operation results. 

At the moment when the third clock of the round operation start signal 
becomes '1\ the 64 bits stored in the 64-bit data register 400 are inputted to the 
add-round-key transform unit 170 so as to be added to the upper 64 bits of the 
round key generated by the round key generation unit 1 10, and the resultant value 
is stored in the upper 64-bit position of the 128-bit data register 500 (step S403). 
Also, the mixcolumn transform of the lower 64-bit data of the 128-bit data register 
500 is performed, and the resultant value is stored in the lower 64-bit position of 
the 128-biat data register 500 (step S403). 

At the moment when the fourth clock of the round operation start signal 
becomes T, the lower 64 bits of the 128-bit data register 500 are inputted to the 
add-round-key transform unit 170 so as to be added to the lower 64 bits of the 
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round key generated by the round key generation unit 110, and the resultant value 
is stored in the lower 64-bit position of the 128-bit data register 500 (step S404). 

Accordingly, in the rijndael block cipher apparatus that performs the 
above-described encryption process, the 128-bit data of the 128-bit data register 
5 500 is used as the 128-bit round operation input data of the next round, and the 
round key RK newly generated by the round key generation unit 1 10 and then 
stored in the 128-bit round key register 111a is also stored in the 128-bit prekey 
register 111 to be used as the 128-bit round input key of the next round. 
Consequently, the encryption operation of one round is completed within a period 

10 of four clocks. 

In the case that the encryption method as illustrated in FIG. 4 is 
performed by the rijndael block cipher apparatus according to the present 
invention, the round key generation unit 1 10 completes the round key generation 
process within a period of four clocks of the round operation start signal. That is, 

15 as shown in FIG. 4, the add-round-key transform process (step S403), which is the 
process of adding the upper 64-bit data to the round key, is performed after the 
third clock from the start of the round operation. After the second clock from the 
start of the round operation, only the upper 64-bit round key of the new round is 
generated, and at this time point, there is no problem in performing the encryption 

20 operation of the round operation since only the upper 64-bit round key is used. 
Also, since the time point when the fourth clock starts after third clock for the 
round operation coincides with the time point when all the 128-bit round keys are 
generated, there is no problem in performing the add-round-key transform process 
(step S404) for adding the lower 64-bit data to the lower 64-bit round key. 

- 5 Also, in the in the rijndael block cipher apparatus that performs the 

above-described encryption process, the 64-bit data register 400 is used as the 
storage space of the intermediate data generated during the encryption process, 
and thus the result of the byte-shift transform of the upper 64-bit data does not 
affect the byte-shift transform of the lower 64-bit data. Also, since the upper 64- 

*0 bit data and the lower 64-bit data are simultaneously transformed, but are not 
transformed in the same manner during the same clock period, the number of 
hardware modules required for the transform can be reduced by half. Especially, 
the data generated for each clock is updated and stored in one storage space, and 
thus no additional storage space is required. That is, this case is directed to the 

15 structure that applies a pipeline structure but requires no additional hardware, and 
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this structure will be applied in the same manner to methods of encrypting and 
decrypting the rijndael block cipher according to other embodiment of the present 
invention to be explained later. 

FIG. 5 is a first timing diagram illustrating a method of decrypting a 
5 rijndael block cipher according to the present invention. 

Referring to FIG. 5, if the four-clock round operation start signal and the 
round number signal are inputted from the round operation control unit 300 to the 
round operation unit 100 (step S500), the byte-inverse-shift transform and the 
inverse-substitution operation arc successively performed with respect to the 
10 upper 64-bit data of the 128-bit round operation input data at the moment when 
the first clock becomes 6 F (step S501), and these two processes are performed 
within one clock. At this time, the resultant data is stored in the 64-bit data 
register 400. Also, if the first clock of the round operation start signal becomes 
*T, the 128-bit round key generation process using the 128-bit round input key 
15 starts (step S501a). 

At the moment when the second clock of the round operation start signal 
becomes T, the add-round-key transform for adding the 64-bit data stored in the 
64-bit data register 400 to the upper 64 bits of the round key generated through 
the round key generation unit 110 is performed, and the resultant data is stored in 
2 0 the 64-bit data register 400 (step S502). Simultaneously, the byte-inverse-shift 
transform and the inverse-substitution of the lower 64-bit data of the round 
operation input data are successively performed, and the resultant data is stored in 
the lower 64-bit position of the 1 28-bit data register (step S502). 

At the moment when the third clock of the round operation start signal 
2 5 becomes 6 1 \ the 64-bit data stored in the 64-bit data register 400 is inputted to the 
mix/inverse-mixcolumn transform unit 150, and the resultant data of the inverse- 
mixcolumn transform is stored in the upper 64-bit position of the 128-bit data 
register 500 (step S503). Simultaneously, the add-round-key transform for adding 
the lower 64-bit data that has passed through the inverse-substitution operation to 
30 the round key generated from the round key generation unit 1 1 0 is performed, and 
the resultant data is stored in the lower 64-bit position of the 128-biat data register 
(step S503). 

At the moment when the fourth clock of the round operation start signal 
becomes c l\ the lower 64-bit data that has passed through the add-round-key 
35 transform is inputted to the mix/inverse-mixcolumn transform unit 150 to be 
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inverse-rnixcolumn-transforrned, and the resultant data is stored in the lower 64- 
bit position of the 128-bit data register 500 (step S504). 

At this time, the 128-bit data of the 128-bit data register 500 is used as 
the 128-bit round operation input data of the next decryption round operation, and 
the 128-bit round key RK that is the result of the round key generation is stored in 
the 128-bit prekey register 1 1 1 so as to be used as the 128-bit round input key of 
the next round operation. Consequently, the decryption operation of one round is 
completed within a period of four clocks. 

In the case that the decryption method as illustrated in FIG. 5 is 
performed by the rijndael block cipher apparatus according to the present 
invention, the round key generation unit 1 10 completes the round key generation 
process within a period of two clocks of the round operation start signal. That is, 
as shown in FIG. 5, since the add-round-key transform process (step S502), which 
is the process of adding the upper 64-bit round key to the 64-bit data, is performed 
after the second clock from the start of the round operation, all the 128-bit round 
keys have already been generated at the time point of the second clock, and thus 
there is no problem in performing the round operation. 

FIG. 6 is a second timing diagram illustrating a method of encrypting a 
rijndael block cipher according to the present invention. 

Referring to FIG. 6, if the three-clock round operation start signal and the 
round number signal are inputted from the round operation control unit 300 to the 
round operation unit 100 (step S600), the byte-shift operation and the substitution 
operation of the upper 64-bit data are successively performed at the moment when 
the first clock becomes '1\ and the resultant data is stored in the 64-bit data 
register (step S601). Also, the round key generation process is simultaneously 
performed (step S601a). 

At the moment when the second clock of the round operation start signal 
becomes T, the 64-bit data stored in the 64-bit data register 400 is mixcolumn- 
transformed, and then added to the upper 64-bkt round key of the resultant data of 
the add-round-key transform unit 110. The resultant data of the add-round-key 
transform is stored in the 64-bit data register 400 (step S602). Simultaneously, the 
byte-shift transform and the substitution operation of the lower 64-bit data are 
successively performed, and the resultant data is stored in the lower 64-bit 
position of the 1 28-bit data register 500 (step S602). 



PACE 27/85 * RCVD AT 2/17/2009 5:44:45 PM [Eastern Standard Time] * SVR:USPTO-EFXRF-5/36 * DNIS:2738300 * CSID:312 427 6663 * DURATION (mm-SS): 23-42 



02/17/2009 16:56 FAX 312 427 6663 LADAS & PARRY LLP ©0028/0085 



27 

At the moment when the third clock of the round operation start signal 
becomes 'P, the 64-bit data stored in the 64-bit data register 400 is inputted to the 
upper 64-bit position of the 128-bit data register 500, and the lower 64-bit data of 
the 128-bit data register 500 is mixcolumn-transfoimed and then added to lower 
5 64-bit round key of the round key generated by the round key generation unit 1 10. 
The resultant data is stored in the lower 64-bit position of the 128-bit data register 
500 (step S603). 

At this time, the 128-bit data of the 128-bit data register 500 is used as 
the 128-bit round operation input data of the next round operation, and the round 
10 key RK generated by the round key generation unit 110 is stored in the 128-bit 
prekey register 111 and then used as the 128-bit round input key of the next 
round. Consequently, the encryption operation of one round is completed within a 
period of three clocks. 

In the case that the encryption method as illustrated in FIG. 6 is 
15 performed by the rijndael block cipher apparatus according to the present 
invention, the round key generation unit 110 completes the round key generation 
process within a period of two clocks of the round operation start signal. That is, 
as shown in FIG. 6, since the add-round-key transform process (step S602), which 
is the process of adding the upper 64-bit round key to the upper 64-bit data, is 
2 0 performed after the second clock from the start of the round operation, all the 1 28- 
bit round keys have already been generated at the time point of the second clock, 
and thus there is no problem in performing the round operation. 

FIG. 7 is a second timing diagram illustrating a method of decrypting a 
rijndael block cipher according to the present invention. 
2 5 Referring to FIG. 7, if the three-clock round operation start signal and the 

round number signal are inputted from the round operation control unit 300 to the 
round operation unit 100 (step S700), the byte-inverse-shift transform and the 
inverse-substitution operation are successively performed with respect to the 
upper 64-bit data of the 128-bit round operation input data at the moment when 
30 the first clock becomes '1\ and the resultant data is stored in the 64-bit data 
register 400 (step S701). Also, the round key generation process starts 
simultaneously with these transforms (step S70Ia). 

When the second clock of the round operation start signal becomes *] \ 
the add-round-key transform for adding the 64-bit data stored in the 64-bit data 
35 register 400 to the upper 64-bit round key of the round key generated by the round 
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key generation unit 110 is performed, and the resultant data is inputted to the 
mix/inverse-mixcolumn transform unit 150. The inverse-mixcolumn-transformed 
data is stored in the 64-bit data register 400 (step S702). Simultaneously, the byte- 
inverse-shift transform and the inverse-substitution transform of the lower 64-bit 
5 data of the round operation input data are successively performed, and the 
resultant data is stored in the lower 64-brt position of the 128-bit data register 
(step S702). 

At the moment when the third clock of the round operation start signal 
becomes 'P, the 64-bit data stored in the 64-bit data register 400 is stored in the 
10 upper 64-bit position of the 128-bit data register 500, and the add-round-key 
transform for adding the lower 64-bit data of the 128-bit data register 500 to the 
lower 64-bit round key of the round key generation unit 1 10 is performed. The 
resultant data of the add-round-key transform is then inverse-mixcolumn- 
transformed, and the resultant data of the inverse-mixcolumn transform is stored 
1 5 in the lower 64-bit position of the 1 28-bit data register 500 (step S703). 

At this time, the 128-bit data of the 128-bit data register 500 is used as 
the 128-bit round operation input data of the next round operation, and the 128-bit 
round key RK generated by the round key generation unit 1 1 0 is stored in the 128- 
bit prekey register 1 1 1 so as to be used as the 128-bit round input key of the next 
20 round operation. Consequently, the decryption operation of one round is 
completed within a period of three clocks. 

In the case that the decryption method as illustrated in FIG. 7 is 
performed by the rijndael block cipher apparatus according to the present 
invention, the round key generation unit 1 10 completes the round key generation 
25 process within a period of two clocks of the round operation start signal. That is, 
as shown in FIG. 7, since the add-round-key transform process (step S702) for 
adding the upper 64-bit round key to the upper 64-bit data is performed after the 
second clock from the start of the round operation, all the 128-bit round keys have 
already been generated at the time point of the second clock, and thus there is no 
30 problem in performing the round operation. 

FIG. 8 is a third timing diagram illustrating a method of encrypting a 
rijndael block cipher according to the present invention. 

Referring to FIG. 8, if the two-clock round operation start signal and the 
round number signal are inputted from the round operation control unit 300 to the 
35 round operation unit 100 (step S800), the byte-shift transform, the substitution 
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transform, the mixcolumn transform and the add-round-key transform are 
successively performed with respect to the upper 64-bit data of the round input 
data when the first clock becomes '1', and the resultant data is stored in the 64-bit 
data register 400 (step S801). Simultaneously, the round key generation process 
5 (step S801a) is performed, and the add-round-key transform of the upper 64-bit 
round key of the generated round key is performed. These processes are 
performed in a period of one clock. 

When the second clock of the round operation start signal becomes *P, 
the byte-shift transform, the substitution transform, the mixcolumn transform and 
10 the add-round-key transform are successively performed with respect to the lower 
64-bit data of the round input data, and the resultant data is stored in the lower 64- 
bit position of the 128-bit data register 500 (step S802). Also, the add-round-key 
transform of the lower 64-bit round key of the round key generated in the round 
key generation process is performed. At this time, the 64-bit data stored in the 64- 
15 bit data register 400 is stored in the upper 64-bit position of the 128-bit data 
register 500, and the 128-bit round key RK newly generated by the round key 
generation unit 1 10 is stored in the 128-bit round key register 1 1 la and backed up 
in the 128-bit prekey register 111. Consequently, the encryption operation of one 
round is completed within a period of two clocks. 
20 In m e case that the encryption method as illustrated in FIG. 8 is 

performed by the rijndael block cipher apparatus according to the present 
invention, the round key generation unit 110 completes the round key generation 
process within a period of one clock of the round operation start signal. That is, as 
shown in FIG. 8, since the add-round-key transform process (step S801) for 
2 5 adding the upper 64-bit round key to the upper 64-bit data is performed after the 
first clock from the start of the round operation, all the 128-bit round keys have 
already been generated at the time point of the first clock, and thus there is no 
problem in performing the round operation. 

Actually, the round key generation unit 110 as illustrated in FIG. 3 
30 generates RK1 using RK0, and RK2 using RK1. The round key generation unit 
110 does not generate RK3 using RK2, but generates RK0 in a state that the round 
operation start signal is inputted and the clock becomes *0' simultaneously. When 
the first clock becomes '1', the round key generation unit 1 10 generates RK1 by 
XORing RK0 with PK1, RK2 by XORing RK0 with PK1 and PK2, and RK3 by 
35 XORing RKO with PK1, PK2 and PK3, simultaneously. 
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FIG. 9 is a third timing diagram illustrating a method of decrypting a 
rijndael block cipher according to the present invention. 

Referring to FIG. 9, if the two-clock round operation start signal and the 
round number signal are inputted from the round operation control unit 300 to the 
5 round operation unit 100 (step S900), the byte-inverse-shift transform, the 
inverse-substitution transform, the add-round-key transform and the inverse- 
mixcolumn transform are successively performed with respect to the upper 64-bit 
data of the round input data when the first clock becomes T, and the resultant 
data is stored in the 64-bit data register 400 (step S901). These processes are 
10 performed in a period of one clock. Simultaneously, the round key generation 
process (step S901a) for decryption is performed, and the add-round-key 
transform of the upper 64-bit round key of the round key generated by the round 
key generation unit 1 10 is performed. 

When the second clock of the round operation start signal becomes '1% 
15 the byte-inverse-shift transform, the inverse-substitution transform, the add- 
round-key transform and the inverse-mixcolumn transform are successively 
performed with respect to the lower 64-bit data of the round input data, and the 
resultant data is stored in the lower 64-bit position of the 128-bit data register 500 
(step S902). These processes are performed in a period of one clock. Also, the 
20 lower 64-bit round key of the round key generated prior to one clock by the round 
key generation unit 1 10 is used for the add-round-key transform. At this time, the 
64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit 
position of the 128-bit data register 500, and the 128-bit round key RK newly 
generated by the round key generation unit 1 10 is stored in the 128-bit round key 
2 5 register 1 1 1 a and backed up in the 128-bit prekey register III. Consequently, the 
decryption operation of one round is completed within a period of two clocks. 

In the case that the decryption method as illustrated in FIG. 9 is 
performed by the rijndael block cipher apparatus according to the present 
invention, the round key generation unit 1 10 completes the round key generation 
30 process within a period of one clock of the round operation start signal. That is, as 
shown in FIG. 9, the add-round-key transform process (step S901) for adding the 
upper 64-bit round key to the upper 64-bit data is performed after the first clock 
from the start of the round operation, but all the 128-bit round keys have already 
been generated at the time point of the first clock, and thus there is no problem in 
35 performing the round operation. 
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Actually, the round key generation unit 110 as illustrated in FIG. 3 
generates RKO in a state that the round operation start signal is inputted and the 
clock becomes '0' simultaneously. When the first clock becomes M\ the round 
key generation unit 110 generates RK1 by XORing RKO with PK1, RK2 by 
5 XORing PK1 with PK2, and RK3 by XORing PK2 with PK3, simultaneously. 

As described above, the rijndael block cipher apparatus according to the 
encryption method as illustrated in FIG. 8 and the decryption method as illustrated 
in FIG. 9 is a model suitable to be applied to a smart card, a USIM (User 
Subscriber Identity Module) card, a SIM card, etc, that have a small size, a low 
1 0 power consumption, and a low operational frequency characteristic. 

Industrial Applicability 

As apparent from the above description, the rijndael block cipher 
apparatus and the encryption/decryption method thereof according to the present 
15 invention can encrypt and decrypt important data that requires security at high 
speed by being mounted in a mobile terminal such as a cellular phone and a PDA 
or a smart card, which requires a high-rate and small-sized cipher processor, and 
can perform a round operation with respect to upper 64 bits and lower 64 bits 
which are divided from 128-bit input data. The present invention has the 
2 0 following effects: 

First, the cipher apparatus according to the present invention has a small 
size and can encrypt/decrypt real-time data at high speed by repeatedly using the 
round operation device in the apparatus. 

Second, since the cipher apparatus according to the present invention 
25 encrypts/decrypts block cipher data in real time using the round operation device 
applying a rijndael algorithm, it can provide a higher-graded security in 
comparison to an operation device applying the existing DES (Data Encryption 
Standard). 

Third, the rijndael encryption/decryption round operation device of the 
30 cipher apparatus according to the present invention has the advantage that it can 
encrypt/decrypt block cipher data in real time by adding a simple controller that 
repeats the round operation for a predetennined number of times. 

Fourth, the round operation device of the cipher apparatus according to 
the present invention can rapidly encrypt/decrypt data in real time although it has 
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a small size that is almost half the size of the existing round operation device in 
the unit of 128 bits. 

Fifth, the round operation device of the cipher apparatus according to the 
present invention can be implemented using a proper method according to its 
5 application fields, and in the case of applying to a system that is irrespective of the 
amount of hardware resource used, it can obtain a two-times high speed of data 
encryption/decryption by applying a round process in the unit of 128 bits instead 
of a round process in the unit of 64 bits. 

The forgoing embodiments are merely exemplary and are not to be 
10 construed as limiting the present invention. The present teachings can be readily 
applied to other types of apparatuses. The description of the present invention is 
intended to be illustrative, and not to limit the scope of the claims. Many 
alternatives, modifications, and variations will be apparent to those skilled in the 
art. 
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Claims 

1 . A rijndael block cipher apparatus comprising: 

a round operation unit for transforming a 128-bit input key into a 128-bit 
round key for encryption or decryption, and storing the 128-bit round key 
5 according to a value of a mode signal from a time when a round operation start 
signal, a round number signal and a bit selection signal for dividing the 128-bit 
input data into upper 64 bits and lower 64 bits and selecting the upper or lower 64 
bits are inputted after an encryption or decryption operation start signal and the 
mode signal are inputted, encrypting the 128-bit input data by dividing the 128-bit 

10 input data into the upper 64 bits and the lower 64 bits and by performing a round 
operation which is composed of transforms of shift_row, substitution, mixcolumn 
and add-round-key with respect to the divided upper 64 bits and lower b4 bits, 
respectively, and decrypting the 128-bit input data by dividing the 128-bit input 
data into the upper 64 bits and the lower 64 bits and by performing a round 

15 operation which is composed of transforms of inverse~shift_row, inverse 
substitution, add-round-key and inverse mixcolumn with respect to the divided 
upper 64 bits and lower b4 bits, respectively; 

a round operation control unit for controlling the round operation of the 
round operation unit by transmitting the round operation start signal, the round 

20 number signal and the bit selection signal for dividing the 128-bit input data into 
the upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits to the 
round operation unit from a time when the encryption or decryption operation 
start signal and the mode signal are inputted; 

a 64-bit data register for storing intermediate encryption or decryption data 

2 5 of the upper 64-bit input data generated during each round operation performed by 
the round operation unit; and 

a 128-bit data register for storing intermediate encryption or decryption 
data of the lower 64-bit input data generated during each round operation 
performed by the round operation unit as its lower 64 bits, and storing the 

30 encryption or decryption data generated as a result of a last round operation and 
stored in the 64-bit data register as its upper 64-bit data. 

2. The apparatus as claimed in claim 1, wherein the round operation unit 
comprises: 
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a round key generation unit for transforming the 128-bit input key into the 
128-bit round key RK for encryption or decryption according to the value of the 
mode signal inputted through a bus and storing the 128-bit round key in an 
internal 128-bit round key register if the round operation start signal and the round 
5 number signal are inputted from the round operation control unit; 

a shift/inverse-shift_row transform unit for performing a byte-shift of the 
upper 64 bits and the lower 64 bits divided from the 128-bit input data inputted 
through the bus by different numbers according to the value of the mode signal 
inputted through the bus if the round operation start signal and the bit selection 
10 signal are inputted from the round operation control unit, and outputting the byte- 
shifted upper 64 bits and lower 64 bits through a first multiplexer the output of 
which is controlled according to the value of the bit selection signal; 

a substitution/inverse-substitution transform unit for performing a 
substitution or an inverse substitution of the upper 64-bit data and the lower 64-bit 
15 data outputted from the shifVinverse-shift_row transform unit using a substitution 
box (S-box) or an inverse-substitution box (Si-box) that provides a one-byte 
output with respect to a one-byte input; 

a first demultiplexer for outputting the upper 64-bit data or the lower 64- 
bit data outputted from the substitution/inverse-substitution transform unit through 
20 either of its encryption output terminal and its decryption output terminal 
according to the value of the mode signal; 

a mix/inverse-mixcolurnn transform unit for performing a mixcolumn of 
the upper 64-bit data or the lower 64-bit data inputted through the encryption 
output terminal of the first demultiplexer, or performing an inverse mixcolumn of 
25 the upper 64-bit data or the lower 64-bit data that has been add-round-key- 
transformed; 

a second demultiplexer for outputting the upper 64-bit data or the lower 
64-bit data outputted from the mix/inverse-mixcolumn transform unit through 
either of its encryption output terminal and its decryption output terminal 
3 0 according to the value of the mode signal ; 

an add-round-key transform unit for performing an addition of the upper 
64-bit data or the lower 64-bit data inputted through the decryption output 
terminal of the first demultiplexer or through the encryption output terminal of the 
second demultiplexer to the 128-bit round key RK for encryption or decryption 
35 outputted from the round key generation unit; and 
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a third demultiplexer for outputting the upper 64-bit data or the lower 64- 
bit data outputted from the add-round-key transform unit through either of its 
encryption output terminal and its decryption output terminal according to the 
value of the mode signal. 

5 

3. The apparatus as claimed in claim 1 or 2, wherein if the four-clock or 
three-clock round operation start signal is inputted from the round operation 
control unit to the round operation unit, the upper 64-bit data outputted from the 
substitution/inverse-substitution transform unit to the first demultiplexer is stored 

10 in the 64-bit data register, and the lower 64-bit data outputted is stored as lower 
64-bit data of the 128-bit data register. 

4, The apparatus as claimed in claim 1 or 2, wherein if the four-clock 
round operation start signal is inputted from the round operation control unit to 

15 the round operation unit, the upper 64-bit data outputted from the mix/inverse- 
mixcolumn transform unit to the second demultiplexer is stored in the 64-bit data 
register, and the lower 64-bit data outputted is stored as lower 64-bit data of the 
1 28-bit data register. 

20 5. The apparatus as claimed in claim 1 or 2, wherein if the four-clock 

round operation start signal is inputted from the round operation control unit to 
the round operation unit, the upper 64-bit data for encryption outputted from the 
add-round-key transform unit to the third demultiplexer is stored as upper 64-bit 
data of the 128-bit data register, and the lower 64-bit data for encryption is stored 

25 as lower 64-bit data of the 1 28-bit data register. 

6. The apparatus as claimed in claim 1 or 2, wherein if the four-clock 
round operation start signal is inputted from the round operation control unit to 
the round operation unit, the upper 64-bit data for decryption outputted from the 

3 0 add-round-key transform unit to the third demultiplexer is stored in the 64-bit data 
register, and the lower 64-bit data for decryption is stored as lower 64-bit data of 
the 128-bit data register. 

7. The apparatus as claimed in claim 1 or 2, wherein if the four-clock 
35 round operation start signal is inputted from the round operation control unit to 
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the round operation unit, the inverse-mixcolumn-tramformed upper 64-bit data 
outputted from the mix/inverse-mixcolumn transform unit to the second 
demultiplexer is stored as upper 64-bit data of the 128-bit data register, and the 
inverse-mixcoiumn-transformed lower 64-bit data is stored as lower 64-bit data of 
5 the 1 28-bit data register. 

8. The apparatus as claimed in claim 1 or 2, wherein if the three-clock 
round operation start signal is inputted from the round operation control unit to 
the round operation unit, the upper 64-bit data for encryption inverse-mixcolumn- 

0 transformed and then outputted from the add-round-key transform unit to the third 
demultiplexer is stored in the 64-bit data register, and then if a last third clock 
becomes ' I \ the upper 64-bit data for encryption is stored as upper 64-bit data of 
the 128-bit data register, and the lower 64-bit data for encryption is stored as 
lower 64-bit data of the 128-bit data register. 

5 

9. The apparatus as claimed in claim 1 or 2, wherein if the three-clock 
round operation start signal is inputted from the round operation control unit to 
the round operation unit, the upper 64-bit data add-round-key-transformed, 
inverse-mixcoiumn-transformed, and then outputted from the mix/inverse- 

) mixcolumn transform unit to the second demultiplexer is stored in the 64-bit data 
register, and then if a last third clock becomes T, the inverse-mixcoiumn- 
transformed upper 64-bit data is stored as upper 64-bit data of the 128-bit data 
register, and the inverse-mixcoiumn-transformed lower 64-bit data is stored as 
lower 64-bit data of the 128-bit data register. 

10. The apparatus as claimed in claim 1 or 2, wherein if the two-clock 
round operation start signal is inputted from the round operation control unit to 
the round operation unit, the upper 64-bit data for encryption shift_row- 
trasnformed, substitution-transformed, mixcolumn-transformed, and then 
outputted from the add-round-key transform unit to the third demultiplexer is 
stored in the 64-bit data register, and then if a last second clock becomes M \ the 
upper 64-bit data for encryption is stored as upper 64-bit data of the 128-bit data 
register, and the lower 64-bit data for encryption is stored as lower 64-bit data of 
the 128-bit data register. 
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1 1. The apparatus as claimed in claim 1 or 2, wherein if the two-clock 
round operation start signal is inputted from the round operation control unit to 
the round operation unit, the upper 64-bit data inverse-shift_row-trasnformed, 
inverse-substitution-transformed, add-round-key-transformed, and then inverse- 

5 mixcolumn -trans formed and outputted from the mix/in verse-mixcolumn 
transform unit to the second demultiplexer is stored in the 64-bit data register, and 
then if a last second clock becomes ' 1 \ the inverse-mixcolumn-transformed upper 
64-bit data is stored as upper 64-bit data of the 128-bit data register, and the 
inverse-mixcolumn-transformed lower 64-bit data is stored as lower 64-bit data of 
10 the 1 28-bit data register. 

12. The apparatus as claimed in claim 2, wherein the round key generation 
unit comprises: 

a 128-bit prekey register for storing the 128-bit input key inputted through 
15 the bus as a prekey for transforming the 128-bit input key into the 128-bit round 
key RK for encryption or decryption, and storing the 128-bit round key RK 
generated after each round operation as a prekey for generating a round key RK 
used in a next round operation; 

a 128-bit key register for storing the 128-bit round key RK for encryption 
20 or decryption for each round operation ; 

a constant storage unit for storing constant values Rcon determined 
according to the order of the round indicated by the round number signal inputted 
from the round operation control unit; 

a second multiplexer for being controlled according to the value of the 
25 mode signal inputted through the bus, and selecting and outputting one of 32-bit 
keys for encryption or decryption inputted from the 128-bit prekey register and 
the 128-bit round key register; 

a shifter for performing a cyclic shift of the 32-bit key inputted through the 
second multiplexer to the left by one byte; 
30 a substitution transform unit, composed of substitution boxes (S-boxes) for 

performing a substitution operation, for performing the substitution of the 32-bit 
key shifted by the shifter, 

a first XOR gate for performing an XOR operation of the most significant 
byte of the 32-bit key outputted from the substitution transform unit with the 
3 5 constant value stored in the constant storage unit; and 
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a round XOR operation unit for newly generating the 128-bit round key 
RK for encryption or decryption to be stored in the 128-bit round key register for 
each round of the round operation by performing an XOR operation using a 32-bit 
value obtained by adding output bits of the first XOR gate to the remaining 24 bits 
5 except for the most significant byte of the substitution transform unit, the 128-bit 
prekey of the previous round stored in the 128-bit prekey register 111, and the 
128-bit round key RK of the new round stored in the 128-bit round key register. 

13. The apparatus as claimed in claim 12, wherein if the four-clock round 
10 operation start signal is inputted from the round operation control unit to the 
round operation unit, the round XOR operation unit of the round key generation 
unit generates the encryption round key in a period of four clocks; and 
wherein the round XOR operation unit comprises: 

a second XOR gate for generating the most significant 32-bit round key 

15 RKO of the 128-bit round key for encryption or decryption of the new round by 
performing an XOR operation of the 32-bit value obtained by adding the output 
bits of the first XOR gate to the remaining 24 bits except for the most significant 
byte of the substitution transform unit, with the most significant 32-bit value PKO 
of the 128-bit round key of the previous round, if the first clock of the encryption 

2 0 round operation start signal becomes * F; 

a third XOR gate for generating a 32-bit (i.e., 95 th bit to 64 th bit) round key 
RK1 of the 128-bit round key for encryption of the new round by performing an 
XOR operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key 
RICO of the 128-bit round key of the new round with a 32-bit (i.e., 95 th bit to 64 th 

2 5 bit) round key PKl next to the most significant 32bits of the 128-bit round key of 
the previous round, and generating the 32-bit (i.e., 95 th bit to 64 th bit) round key 
RK1 of the 128-bit round key for decryption of the new round by performing an 
XOR operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key 
PKO of the 128-bit round key of the previous round with the 32-bit (i.e., 95 th bit 

30 to 64 th bit) round key PKl next to the most significant 32bits, if the second clock 
of the encryption round operation start signal becomes *T; 

a third multiplexer for being controlled according to the value of the mode 
signal inputted through the bus, and selectively determining input signals of the 
third XOR gate; 
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a fourth XOR gate for generating a 32-bit (i.e., 63 rd bit to 32 nd bit) round 
key RK2 of the 128-bit round key for encryption of the new round by performing 
an XOR operation of the 32-bit (i.e., 95 th bit to 64* bit) round key RK1 of the 
128-bit round key of the new round with a 32-bit (i.e., 63 rd bit to 32 nd bit) round 
5 key PK2 of the 128-bit round key of the previous round, and generating a 32-bit 
(i.e., 63* bit to 32 nd bit) round key RK2 of the 128-bit round key for decryption of 
the new round by performing an XOR operation of the 32-bit (i.e., 95 th bit to 64 th 
bit) round key PK1 of the 128-bit round key of the previous round with the next 
32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2, if the third clock of the encryption 
1 0 round operation start signal becomes 6 F ; 

a fourth multiplexer for being is controlled according to the value of the 
mode signal inputted through the bus, and selectively determining input signals of 
the fourth XOR gate; 

a fifth XOR gate for generating a 32-bit (i.e., 3 1 st bit to 0 th bit) round key 
15 RK3 of the 128-bit round key for encryption of the new round by performing an 
XOR operation of the 32-bit (i.e., 63 rd bit to 32 nd bit) round key RK2 of the 128- 
bit round key of the new round with a 32-bit (i.e., 3 1 st bit to 0 th bit) round key PK3 
of the 128-bit round key of the previous round, and generating a 32-bit (i.e., 31 st 
bit to 0 th bit) round key RK3 of the 128-bit round key for decryption of the new 
20 round by performing an XOR operation of the 32-bit (i.e., 63 rd bit to 32 nd bit) 
round key PK2 of the 128-bit round key of the previous round with the next 32-bit 
(i.e., 31 st bit to 0* bit) round key PK3, if the fourth clock of the encryption round 
operation start signal becomes * 1 and 

a fifth multiplexer for being controlled according to the value of the mode 
25 signal inputted through the bus, and selectively determining input signals of the 
fifth XOR gate. 

14. The apparatus as claimed in claim 12, wherein if the three-clock round 
operation start signal is inputted from the round operation control unit to the 
30 round operation unit, the round XOR operation unit of the round key generation 
unit generates the encryption round key in a period of two clocks; and 
wherein the round XOR operation unit comprises: 

a second XOR gate for generating the most significant 32-bit round key 
RKO of the 128-bit round key for encryption or decryption of the new round by 
35 performing an XOR operation of the 32-bit value obtained by adding the output 
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bits of the first XOR gate to the remaining 24 bits except for the most significant 
byte of the substitution transform unit, with the most significant 32-bit value PKO 
of the 128-bit round key of the previous round, if the first clock of the encryption 
round operation start signal becomes 4 1 9 ; 

a third XOR gate for generating a 32-bit (i.e., 95 th bit to 64 th bit) round key 
RK1 of the 128-bit round key for encryption of the new round by performing an 
XOR operation of the most significant 32-bit (i.e., 127* bit to 96 th bit) round key 
RKO of the 128-bit round key of the new round with a 32-bit (i.e., 95 th bit to 64 th 
bit) round key PK1 next to the most significant 32bits of the 128-bit round key of 
the previous round, and generating the 32-bit (Le., 95 th bit to 64 th bit) round key 
RK1 of the 128-bit round key for decryption of the new round by performing an 
XOR operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key 
PKO of the 128-bit round key of the previous round with the 32-bit (i.e., 95 th bit 
to 64 th bit) round key PKl next to the most significant 32bits, if the second clock 
of the encryption round operation start signal becomes C F; 

a third multiplexer for being controlled according to the value of the mode 
signal inputted through the bus, and selectively determining input signals of the 
third XOR gate; 

a fourth XOR gate for generating a 32-bit (i.e., 63 rd bit to 32 nd bit) round 
key RK2 of the 128-bit round key for encryption of the new round by performing 
an XOR operation of a resultant value (RKO © PKl), which is obtained by the 
third XOR gate's XOR operation of the most significant 32-bit (i.e., 127 th bit to 
96* bit) round key RKO of the 128-bit round key of the new round with the 32-bit 
(i.e., 95 th bit to 64 th bit) round key PKl next to the most significant 32 bits of the 
128-bit round key of the previous round, with the 32-bit (i.e., 63 rd bit to 32 nd bit) 
round key PK2 of the previous round, and generating a 32-bit (i.e., 63 rd bit to 32 nd 
bit) round key RK2 of the 128-bit round key for decryption of the new round by 
performing an XOR operation of the 32-bit (i.e., 95 th bit to 64 th bit) round key 
PKl of the 128-bit round key of the previous round with the next 32-bit (i.e., 63 rd 
bit to 32 nd bit) round key PK2, if the second clock of the encryption round 
operation start signal becomes l V; 

a fourth multiplexer for being is controlled according to the value of the 
mode signal inputted through the bus, and selectively determining input signals of 
the fourth XOR gate; 
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a fifth XOR gate for generating a 32-bit (i.e., 31 st bit to 0 th bit) round key 
RK3 of the 128-bit round key for encryption of the new round by performing an 
XOR operation of the resultant value (RK0 S PK1), which is obtained by the 
fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 th bit to 
5 96 th bit) round key RKO of the 128-bit round key of the new round that has been 
XORed by the third XOR gate with the 32-bit (i.e., 95* bit to 64 th bit) round key 
PK1 next to the most significant 32 bits of the 128-bit round key of the previous 
round, with the 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the previous 
round to produce a resultant value (RKO © PK1 © PK2) of XOR operation, and 

10 then by performing an XOR operation of the resultant value (RKO © PK1 © PK2) 
with the 32-bit (31 st bit to 0 th bit) round key PK3 of the previous round, and 
generating the 32-bit (i.e., 31 st bit to 0 th bit) round key RK3 of the 128-bit round 
key for decryption of the new round by performing an XOR operation of the 32- 
bit (i.e., 63* bit to 32 nd bit) round key PK2 of the 128-bit round key of the 

15 previous round with the next 32-bit (i.e., 31 st bit to 0 th bit) round key PK3, if the 
second clock of the encryption round operation start signal becomes ' V; and 

a fifth multiplexer for being controlled according to the value of the mode 
signal inputted through the bus, and selectively determining input signals of the 
fifth XOR gate. 

20 

15. The apparatus as claimed in claim 12, wherein if the two-clock round 
operation start signal is inputted from the round operation control unit to the 
round operation unit, the round XOR operation unit of the round key generation 
unit generates the encryption round key in a period of one clock; and 

2 5 wherein the round XOR operation unit comprises: 

a second XOR gate for generating the most significant 32-bit round key 
RKO of the 128-bit round key for encryption or decryption of the new round by 
performing an XOR operation of the 32-bit value obtained by adding the output 
bits of the first XOR gate to the remaining 24 bits except for the most significant 

30 byte of the substitution transform unit, with the most significant 32-bit value PKO 
of the 128-bit round key of the previous round, in a state that the encryption round 
operation start signal is inputted and simultaneously, the clock becomes '0'; 

a third XOR gate for generating a 32-bit (i.e., 95 th bit to 64 th bit) round key 
RK1 of the 128-bit round key for encryption of the new round by performing an 

35 XOR operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key 
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RKO of the 128-bit round key of the new round with a 32-bit (i.e., 95 th bit to 64 th 
bit) round key PK1 next to the most significant 32bits of the 128-bit round key of 
the previous round, and generating the 32-bit (i.e., 95 th bit to 64 th bit) round key 
RK1 of the 128-bit round key for decryption of the new round by performing an 
5 XOR operation of the most significant 32-bit (i.e., 127* bit to 96 th bit) round key 
PKO of the 128-bit round key of the previous round with the 32-bit (i.e., 95 ,h bit 
to 64 th bit) round key PK1 next to the most significant 32bits, if the first clock of 
the encryption round operation start signal becomes * 1 

a third multiplexer for being controlled according to the value of the mode 
10 signal inputted through the bus, and selectively determining input signals of the 
third XOR gate; 

a fourth XOR gate for generating a 32-bit (i.e., 63 rd bit to 32 nd bit) round 
key RK2 of the 128-bit round key for encryption of the new round by performing 
an XOR operation of a resultant value (RKO © PKI), which is obtained by the 

15 third XOR gate's XOR operation of the most significant 32-bit (i.e., 127 th bit to 
96 th bit) round key RKO of the 128-bit round key of the new round with the 32-bit 
(i.e., 95 th bit to 64 th bit) round key PKI next to the most significant 32 bits of the 
128-bit round key of the previous round, with the 32-bit (i.e., 63 rd bit to 32™* bit) 
round key PK2 of the previous round, and generating a 32-bit (i.e., 63 rd bit to 32 nd 

20 bit) round key RK2 of the 128-bit round key for decryption of the new round by 
performing an XOR operation of the 32-bit (i.e., 95 th bit to 64 th bit) round key 
PKI of the 128-bit round key of the previous round with the next 32-bit (i.e., 63 rd 
bit to 32 nd bit) round key PK2, if the first clock of the encryption round operation 
start signal becomes '1 *; 

25 a fourth multiplexer for being is controlled according to the value of the 

mode signal inputted through the bus, and selectively determining input signals of 
the fourth XOR gate; 

a fifth XOR gate for generating a 32-bit (i.e., 31 st bit to 0 th bit) round key 
RK3 of the 128-bit round key for encryption of the new round by performing an 

30 XOR operation of the resultant value (RKO © PKI), which is obtained by the 
fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 th bit to 
96 th bit) round key RKO of the 128-bit round key of the new round that has been 
XORed by the third XOR gate with the 32-bit (i.e., 95 th bit to 64 th bit) round key 
PKI next to the most significant 32 bits of the 128-bit round key of the previous 

35 round, with the 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the previous 
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round to produce a resultant value (RKO © PK1 © PK2) of XOR operation, and 
then by performing an XOR operation of the resultant value (RKO © PKl © PK2) 
with the 32-bit (31 st bit to 0 th bit) round key PK3 of the previous round, and 
generating the 32-bit (i.e,, 31 st bit to 0* bit) round key RK3 of the 128-bit round 
5 key for decryption of the new round by performing an XOR operation of the 32- 
bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the 128-bit round key of the 
previous round with the next 32-bit (i.e., 31 st bit to 0 th bit) round key PK3, if the 
first clock of the encryption round operation start signal becomes ' V; and 

a fifth multiplexer for being controlled according to the value of the mode 
10 signal inputted through the bus, and selectively determining input signals of the 
fifth XOR gate. 

16. A rijndael block encryption method comprising the steps of: 
if a four-clock round operation start signal and a round number signal are 
15 inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for encryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
20 start signal becomes T, and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the four-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_jow transform 
unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted 

25 through the bus and outputting the byte-shifted upper 64-bit data through a first 
multiplexer when the first clock becomes *1\ and a substitution/inverse- 
substitution transform unit successively performing a substitution of the upper 64- 
bit data, outputting the substituted upper 64-bit data to a first demultiplexer, and 
storing the substituted upper 64-bit data in a 64-bit data register; 

30 vvhen a second clock of the round operation start signal becomes c l\ a 

mix/inverse-mixcolumn transform unit performing a mixcolumn of the upper 64- 
bit data outputted through an encryption output terminal of the first demultiplexer 
and stored in the 64-bit data register, outputting the mixcolumn-transformed upper 
64-bit data to a second demultiplexer, and storing the mixcolumn-transformed 

35 upper 64-bit data in the 64-bit data register, the shift/in verse-shift_row transform 
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unit simultaneously performing a byte-shift of lower 64-bit data of the 128-bit 
input data inputted through the bus and outputting the byte-shifted lower 64-bit 
data through the first multiplexer, and the substitution/inverse-substitution 
transform unit successively performing a substitution of the lower 64-bit data, 
5 outputting the substituted lower 64-bit data to the first demultiplexer, and storing 
the substituted lower 64-bit data in lower 64 bits of a 128-bit data register; 

when a third clock of the round operation start signal becomes 4 1', an add- 
round-key transform unit performing an addition of the upper 64-bit data 
outputted through an encryption output terminal of the second demultiplexer and 

1 0 stored in the 64-bit data register to upper 64-bit round key generated by the round 
key generation unit and storing the added upper 64-bit data in upper 64 bits of the 
128-bit data register, and a mix/inverse-mixcolumn transform unit simultaneously 
performing a mixcolumn of the lower 64-bit data outputted through the encryption 
output terminal of the first demultiplexer and stored in the 128-bit data register, 

15 outputting the mixcolumn-transformed lower 64-bit data to the second 
demultiplexer, and storing the mixcolumn-transformed lower 64-bit data in the 
lower 64 bits of the 1 28-bit data register; and 

when a fourth clock of the round operation start signal becomes * 1% the 
add-round-key transform unit performing an addition of the lower 64-bit data 

2 0 outputted through the encryption output terminal of the second demultiplexer and 
stored in the 128-bit data register to lower 64-bit round key generated by the 
round key generation unit and storing the added lower 64-bit data in the lower 64 
bits of the 128-bit data register. 

25 17. The encryption method as claimed in claim 16, wherein at the step of 

the round key generation unit transforming the 128-bit input key into the 128-bit 
round key for encryption in accordance with the value of the mode signal inputted 
through the bus, and storing the 128-bit round key in the internal 128-bit round 
key register, the 128-bit round key for encryption is generated in a period of four 

30 clocks of the round operation start signal. 

1 8. A rijndael block decryption method comprising the steps of: 
if a four-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
35 operation start signal and a mode signal are inputted through a bus, a round key 
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generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for decryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes e l\ and storing the 128-bit round key in an internal 128-bit 
5 round key register, 

if the four-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shiftrow transform 
unit performing a byte-inverse-shift of upper 64-bit data of 128-bit input data 
inputted through the bus and outputting the byte-inverse-shifted upper 64-bit data 
10 through a first multiplexer when the first clock becomes '1% and a 
substitution/inverse-substitution transform unit successively performing an 
inverse substitution of the upper 64-bit data, outputting the inverse-substituted 
upper 64-bit data to a first demultiplexer, and storing the inverse-substituted upper 
64-bit data in a 64-bit data register; 

15 when a second clock of the round operation start signal becomes M\ an 

add-round-key transform unit performing an addition of the upper 64-bit data 
outputted through a decryption output terminal of the first demultiplexer and 
stored in the 64-bit data register to upper 64-bit round key generated by the round 
key generation unit, outputting the added upper 64-bit data to a third 

20 demultiplexer, and storing the added upper 64-bit data in the 64-bit data register, 
the shift/inverse-shift_row transform unit simultaneously performing a byte- 
inverse-shift of lower 64-bit data of the 128-bit input data inputted through the 
bus, and outputting the byte-inverse-shifted lower 64-bit data through the first 
multiplexer, and the substitution/inverse-substitution transform unit successively 

2 5 performing an inverse substitution of the lower 64-bit data, outputting the inverse- 
substituted lower 64-bit data to the first demultiplexer, and storing the inverse- 
substituted lower 64-bit data in lower 64 bits of a 128-bit data register; 

when a third clock of the round operation start signal becomes *1\ a 
mix/in verse-mixcolumn transform unit performing an inverse mixcolumn of the 

30 upper 64-bit data outputted through a decryption output terminal of the third 
demultiplexer and stored in the 64-bit data register, outputting the inverse- 
mixcolumn-transformed upper 64-bit data through a second demultiplexer, and 
storing the in verse-mixcolumn -transformed upper 64-bit data in upper 64 bits of 
the 128-bit data register, and the add-round-key transform unit simultaneously 

35 performing an addition of the lower 64-bit data outputted through the decryption 
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output terminal of the first demultiplexer and stored in the 128-bit data register to 
lower 64-bit round key generated by the round key generation unit, outputting the 
added lower 64-bit data through the third demultiplexer, and storing the added 
lower 64-bit data in the lower 64 bits of the 128-bit data register, and 
5 when a fourth clock of the round operation start signal becomes * 1 \ the 

mix/inverse-mixcolumn transform unit performing an inverse mixcolumn of the 
lower 64-bit data outputted through the decryption output terminal of the third 
demultiplexer and stored in the 128-bit data register, outputting the inverse- 
m ixcol umn-transformed lower 64-bit data through a second demultiplexer, and 
10 storing the inverse-mixcolumn-transformed lower 64-bit data in the lower 64 bits 
of the 128-bit data register. 

19. The decryption method as claimed in claim 18, wherein at the step of 
the round key generation unit transforming the 128-bit input key into the 128-bit 
15 round key for decryption in accordance with the value of the mode signal inputted 
through the bus, and storing the 128-bit round key in the internal 128-bit round 
key register, the 128-bit round key for decryption is generated in a period of two 
clocks of the round operation start signal . 

20 20. A rijndael block encryption method comprising the steps of: 

if a three-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 

25 128-bit round key for encryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes *1\ and storing the 128-bit round key in an internal 128-bit 
round key register, 

if the three-clock round operation start signal and a bit selection signal are 
30 inputted from the round operation control unit, a shiftyinverse-shift_row transform 
unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted 
through the bus and outputting the byte-shifted upper 64-bit data through a first 
multiplexer when the first clock becomes fi 1\ and a substitution/inverse- 
substitution transform unit successively performing a substitution of the upper 64- 
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bit data, outputting the substituted upper 64-bit data to a first demultiplexer, and 
storing the substituted upper 64-bit data in a 64-bit data register; 

when a second clock of the round operation start signal becomes *1\ a 
mix/inverse-mixcolumn transform unit performing a mixcolumn of the upper 64- 
5 bit data outputted through an encryption output terminal of the first demultiplexer 
and stored in the 64-bit data register, and outputting the mixcolumn-transformed 
upper 64-bit data to a second demultiplexer, an add-round-key transform unit 
successively performing an addition of this upper 64-bit data to an upper 64-bit 
round key generated by the round key generation unit, and storing the added upper 

10 64-bit data in the 64-bit data register, the shift/inverse-shift_row transform unit 
simultaneously performing a byte-shift of lower 64-bit data of the 128-bit input 
data inputted through the bus, and outputting the byte-shifted lower 64-bit data 
through the first multiplexer, and the substitution/inverse-substitution transform 
unit successively performing a substitution of the lower 64-bit data, outputting the 

15 substituted lower 64-bit data to the first demultiplexer, and storing the substituted 
lower 64-bit data in lower 64 bits of a 128-bit data register; and 

when a third clock of the round operation start signal becomes 6 1 ', storing 
the 64-bit data added and then stored in the 64-bit data register in upper 64 bits of 
the 128-bit data register, the mix/inverse-mixcolumn transform unit 

20 simultaneously performing a mixcolumn of the lower 64-bit data outputted 
through the encryption output terminal of the first demultiplexer and stored in the 
128-bit data register, and outputting the mixcolumn-transformed lower 64-bit data 
to the second demultiplexer, and the add-round-key transform unit successively 
performing an addition of the lower 64-bit data to lower 64-bit round key 

25 generated by the round key generation unit, and storing the added lower 64-bit 
data in the lower 64 bits of the 1 28-bit data register. 

21. The encryption method as claimed in claim 20, wherein at the step of 
the round key generation unit transforming the 128-bit input key into the 128-bit 
30 round key for encryption in accordance with the value of the mode signal inputted 
through the bus, and storing the 128-bit round key in the internal 128-bit round 
key register, the 128-bit round key for encryption is generated in a period of two 
clocks of the round operation start signal. 

35 22. A rijndael block decryption method comprising the steps of: 
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if a three-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
5 128-bit round key for decryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes U\ and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the three-clock round operation start signal and a bit selection signal are 
1 0 inputted from the round operation control unit, a shift/inverse-shift_row transform 
unit performing a byte-inverse-shift of upper 64-bit data of 128-bit input data 
inputted through the bus, and outputting the byte-inverse-shifted upper 64-bit data 
through a first multiplexer when the first clock becomes c l\ and a 
substitution/inverse-substitution transform unit successively performing an 
15 inverse substitution of the upper 64-bit data, outputting the inverse-substituted 
upper 64-bit data to a first demultiplexer, and storing the inverse-substituted upper 
64-bit data in a 64-bit data register; 

when a second clock of the round operation start signal becomes T, an 
add-round-key transform unit performing an addition of the upper 64-bit data 
20 outputted through a decryption output terminal of the first demultiplexer and 
stored in the 64-bit data register to upper 64-bit round key generated by the round 
key generation unit, and outputting the added upper 64-bit data to a third 
demultiplexer, a mix/inverse-mixcolumn transform unit successively performing 
an inverse mixcolumn of the added upper 64-bit data, outputting the inverse- 
25 mixcolumn-transformed upper 64-bit data through a second demultiplexer, and 
storing the inverse-mixcolumn-transformed upper 64-bit data in the 64-bit data 
register, the shift/inverse-shift row transform unit simultaneously performing a 
byte-inverse-shift of lower 64-bit data of the 128-bit input data inputted through 
the bus, and outputting the byte-inverse-shifted lower 64-bit data through the first 
30 multiplexer, and the substitution/inverse-substitution transform unit successively 
performing an inverse substitution of the lower 64-bit data, outputting the inverse- 
substituted lower 64-bit data to the first demultiplexer, and storing the inverse- 
substituted lower 64-bit data in lower 64 bits of a 128-bit data register, and 

when a third clock of the round operation start signal becomes M\ the 
35 add-round-key transform unit performing an addition of the lower 64-bit data 
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outputted through the decryption output terminal of the first demultiplexer and 
stored in the 128-bit data register to lower 64-bit round key generated by the 
round key generation unit and outputting the added lower 64-bit data to the third 
demultiplexer, the mix/inverse-mixcolumn transform unit successively 
5 performing an inverse mixcolumn of the added lower 64-bit data, outputting the 
inverse-mixcoluran-transformed lower 64-bit data through a second 
demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data 
in the lower 64 bits of the 128-bit data register, and simultaneously storing the 
upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit 
10 data register. 



23. The decryption method as claimed in claim 22, wherein at the step of 
the round key generation unit transforming the 128-bit input key into the 128-bit 
round key for decryption in accordance with the value of the mode signal inputted 
through the bus, and storing the 128-bit round key in the internal 128-bit round 
key register, the 128-bit round key for decryption is generated in a period of two 
clocks of the round operation start signal. 

24. A rijndael block encryption method comprising the steps of: 

if a two-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for encryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes T, and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the two-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_row transform 
unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted 
through the bus and outputting the byte-shifted upper 64-bit data through a first 
multiplexer when the first clock becomes T, a substitution/inverse-substitution 
transform unit successively performing a substitution of the upper 64-bit data, and 
outputting the substituted upper 64-bit data through a first demultiplexer, a 
mix/inverse-mixcolumn transform unit performing a mixcolumn of the upper 64- 
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bit data outputted through an encryption output terminal of the first demultiplexer, 
and outputting the mixcolumn-transformed upper 64-bit data to a second 
demultiplexer, and an add-round-key transform unit successively performing an 
addition of this upper 64-bit data to an upper 64-bit round key generated by the 
5 round key generation unit, and storing the added upper 64-bit data in a 64-bit data 
register; and 

when a second clock of the round operation start signal becomes '1 the 
shift/inverse-shift_row transform unit performing a byte-shift of lower 64-bit data 
of the 128-bit input data inputted through the bus and outputting the byte-shifted 

10 lower 64-bit data through the first multiplexer, and the substitution/inveree- 
substitution transform unit successively performing a substitution of the lower 64- 
bit data, and outputting the substituted lower 64-bit data to the first demultiplexer, 
the mix/inverse-mixcolumn transform unit successively performing a mixcolumn 
of the lower 64-bit data, and outputting the mixcolumn-transformed lower 64-bit 

15 data to the second demultiplexer, the add-round-key transform unit successively 
performing an addition of this lower 64-bit data to lower 64-bit round key 
generated by the round key generation unit, and storing the added lower 64-bit 
data in lower 64 bits of a 128-bit data register, and simultaneously storing the 
upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit 
20 data register. 

25. The encryption method as claimed in claim 24, wherein at the step of 
the round key generation unit transforming the 128-bit input key into the 128-bit 
round key for encryption in accordance with the value of the mode signal inputted 

25 through the bus, and storing the 128-bit round key in the internal 128-bit round 
key register, the 128-bit round key for encryption is generated in a period of one 
clock of the round operation start signal. 

26. A rijndael block decryption method comprising the steps of: 

30 if a two-clock round operation start signal and a round number signal are 

inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for decryption in accordance with a value of the mode signal 

35 inputted through the bus from a time when a first clock of the round operation 
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start signal becomes «I\ and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the two-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_row transform 
5 unit performing a byte-inverse-shift of upper 64-bit data of 128-bit input data 
inputted through the bus, and outputting the byte-inverse-shifted upper 64-bit data 
through a first multiplexer when the first clock becomes 'P, a 
substitution/inverse-substitution transform unit successively performing an 
inverse substitution of the upper 64-bit data, and outputting the inverse-substituted 
10 upper 64-bit data to a first demultiplexer, an add-round-key transform unit 
successively performing an addition of the upper 64-bit data outputted through a 
decryption output terminal of the first demultiplexer to an upper 64-bit round key 
generated by the round key generation unit, and outputting the added upper 64-bit 
data to a third demultiplexer, and a mix/inverse-mixcolumn transform unit 
15 successively performing an inverse mixcolumn of the added upper 64-bit data, 
outputting the inverse-mixcolumn-transformed upper 64-bit data through a second 
demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data 
in a 64-bit data register; and 

when a second clock of the round operation start signal becomes T, the 
2 0 shift/inverse-shift_row transform unit performing a byte-inverse-shift of lower 64- 
bk data of the 128-bit input data inputted through the bus and outputting the byte- 
inverse-shifted lower 64-bit data through the first multiplexer, the 
substitution/inverse-substitution transform unit successively performing an 
inverse substitution of the lower 64-bit data, and outputting the inverse-substituted 
25 lower 64-bit data to the first demultiplexer, the add-round-key transform unit, 
successively performing an addition of the lower 64-bit data outputted through the 
decryption output terminal of the first demultiplexer to a lower 64-bit round key 
generated by the round key generation unit, and outputting the added lower 64-bit 
data to the third demultiplexer, the mix/inverse-raixcoiumn transform unit 
30 successively performing an inverse mixcolumn of the added lower 64-bit data, 
outputting the inverse-mixcolumn-transformed lower 64-bit data through a second 
demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data 
in lower 64 bits of a 128-bit data register, and simultaneously storing the upper 
64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit data 
35 register. 
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27. The decryption method as claimed in claim 26, wherein at the step of 
the round key generation. unit transforming the 128-bit input key into the 128-bit 
round key for decryption in accordance with the value of the mode signal inputted 
through the bus, and storing the 128-bit round key in the internal 128-bit round 
key register, the 128-bit round key for decryption is generated in a period of one 
clock of the round operation start signal. 
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Abstract 

A rijndael block cipher apparatus including an operational unit that 
efficiently performs a round operation for encrypting/decrypting a rijndael block 
cipher and an encryption/decryption method thereof are disclosed. The rijndael 
block cipher apparatus is mounted in a mobile terminal such as a cellular phone 
and a PDA or a smart card, which requires a high-rate and small-sized cipher 
processor, and can encrypt and decrypt important data that requires security at 
high speed and perform the round operation with respect to upper 64 bits and 
lower 64 bits which are divided from 128-bit input data. Thus, the cipher 
apparatus can reduce the time required for encryption/decryption of the rijndael 
block cipher and the size of the apparatus. 
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